flask-csrf
flask-csrf copied to clipboard
Published
20 hours ago •
sjl
sjl
not thread safe if a single python interpreter is servicing multiple apps
this is due to csrf._exempt_views being module (global) state. one app could exempt a view that collides with an nonexempt view of the same name of another app, thereby exempting that one as well.
what should be done is moving the extension functionality into a class and have the exempt views as an instance var....
this came from irc.freenode.net #pocoo:
04:11 razamatan> so crsf decided not to return an obj
04:11 donri> not sure if that's safe for use with multiple apps
04:11 razamatan> "so its up to the ext if it needs to return the ext obj bound
to an app instance or not"
04:12 donri> the exempt thing anyway might conflict
04:12 donri> really, it's up to an extension to do what the f* it wants :D
04:12 razamatan> yeah
04:12 donri> there is only conventions, no specific API
04:12 razamatan> you're concerned about _exempt_views since it's global state?
04:12 donri> yes
04:13 donri> would've been better as an instance variable
04:14 razamatan> yeah... it totally could be an instance var
04:14 razamatan> do you want to create an issue for the author on github or
should i?
04:14 razamatan> i was going to simply cut and paste your suggestion
04:15 donri> meh, that ext needs serious work before it could be an approved
extension
04:17 donri> http://flask.pocoo.org/docs/extensiondev/ btw
04:17 razamatan> ah
04:18 razamatan> somehow it's listed in the flask ext registry though
04:18 razamatan> ?
04:18 donri> But no star next to it ;)
04:19 razamatan> ah
04:21 Eftarjin> the only situation i see where _exempt_views being global
could be a problem is if the same vie
04:21 donri> It needs to be renamed to capital case, should probably use a
class, needs a setup.py and to be on pypi
04:21 Eftarjin> if the same view function is exempted in an app but not in
another
04:21 razamatan> Eftarjin: it can happen and the fix is easy enough so...
04:22 donri> Eftarjin: i agree but who is to say that scenario can't happen
04:22 razamatan> donri: i think it has a setup.py... it doesn't appear to have
any tests though
04:22 donri> it's bad practice in any case
04:22 donri> on_csrf should maybe be a decorator on the instance too
04:22 donri> more flasky
04:22 donri> @csrf.attack_detected
This issue is addressed in an alternative to this extension I wrote (which also seeks to add additional desired functionality such as constant-time comparison) which can be found here: https://github.com/maxcountryman/flask-seasurf
