dpaste icon indicating copy to clipboard operation
dpaste copied to clipboard
verified publisher icon DarrenOfficial

disable csrf in dpaste

Open datta90 opened this issue 3 years ago • 1 comments

i am using dpaste docker image but i once i try to generate any link for my text it is always showing csrf protection issue . can anyone help how to disable this feature

datta90 avatar Aug 09 '22 02:08 datta90

In your settings add,

CSRF_COOKIE_SECURE = False

DarrenOfficial avatar Aug 09 '22 04:08 DarrenOfficial

thanks

datta90 avatar Sep 06 '22 17:09 datta90

I added CSRF_COOKIE_SECURE = False to dpaste/apps.py like so, rebuilt and ran the image, but am still getting:

Forbidden (403)
CSRF verification failed. Request aborted.
More information is available with DEBUG=True.

You can check my instance here.

Kevin-Mok avatar Apr 29 '24 17:04 Kevin-Mok

The changes should be done to local.py https://github.com/DarrenOfficial/dpaste/blob/master/dpaste/settings/local.py.example <-

DarrenOfficial avatar Apr 29 '24 23:04 DarrenOfficial

I added CSRF_COOKIE_SECURE = False to my local.py, rebuilt and ran the image and am still getting the 403 error. The local.py also has DEBUG = True, and I can see this in my instance when the 403 error occurs because it shows the debug information. So, it took my custom local.py, but the CSRF disabling still doesn't work?

Edit: So, it works without https. I suppose this is intended and the way it works?

Kevin-Mok avatar Apr 30 '24 00:04 Kevin-Mok

I've responded to your email 🙂

Edit: So, it works without https. I suppose this is intended and the way it works?

Definitely not

-- From email Could you show me your docker configuration / docker compose file;

Additionally are you using a proxy server (i.e. NGINX, Apache, Trafeik, Caddy, ect...), if so could you send the configuration of that as well; the error might be because of a misconfigured proxy

DarrenOfficial avatar May 02 '24 17:05 DarrenOfficial

Edit: So, it works without https. I suppose this is intended and the way it works?

What I meant was it would work without https, not that it should be run without. :sweat_smile:

Could you show me your docker configuration / docker compose file;

I didn't touch the original Docker files. But, the command I'm using to run the Docker container is: docker run --rm -p 8001:8000 -e --detach dpaste:csrf.

Additionally are you using a proxy server

I'm using NGINX. In /etc/nginx/sites-available/mnpd.conf:

server {
    server_name mnpd.khkm.dev www.mnpd.khkm.dev;
    server_tokens off;
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
	proxy_pass http://0.0.0.0:8001;
	proxy_buffering off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP \$remote_addr;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mnpd.khkm.dev/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mnpd.khkm.dev/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = mnpd.khkm.dev) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    server_name mnpd.khkm.dev www.mnpd.khkm.dev;
    return 404; # managed by Certbot
}

Kevin-Mok avatar May 02 '24 17:05 Kevin-Mok

I see, try this reverse proxy config; this is what dpaste use in prod.

location ^~ /
{
    proxy_pass http://127.0.0.1:8001;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header REMOTE-HOST $remote_addr;

    #Persistent connection related configuration - Optional dpaste.org has it enabled.
    #add_header Access-Control-Allow-Origin *;

}

DarrenOfficial avatar May 03 '24 03:05 DarrenOfficial