Login

Bypass CSRF check for Facebook canvas apps using POST for canvas

Author:
mjallday
Posted:
November 23, 2010
Language:
Python
Version:
Not specified
Score:
1 (after 1 ratings)

This assumes that you have a method called decode_signed_request which will validate the signed_request parameter and return None if the validation check fails.

A similar method can be found here - https://github.com/iplatform/pyFaceGraph/blob/70e456c79f1ac1c7eddece03af323346a00481ef/src/facegraph/canvas.py

1
2
3
4
5
6
7
8
class IgnoreFbCsrfMiddleware(object):
    def process_request(self, request):
        
        signed_request = request.REQUEST.get('signed_request', None)
        
        signed_request = decode_signed_request(signed_request, settings.FACEBOOK_APP_SECRET)
        
        request.csrf_processing_done = signed_request != None

More like this

  1. Template tag - list punctuation for a list of items by shapiromatron 11 months, 2 weeks ago
  2. JSONRequestMiddleware adds a .json() method to your HttpRequests by cdcarter 11 months, 3 weeks ago
  3. Serializer factory with Django Rest Framework by julio 1 year, 6 months ago
  4. Image compression before saving the new model / work with JPG, PNG by Schleidens 1 year, 7 months ago
  5. Help text hyperlinks by sa2812 1 year, 7 months ago

Comments

pyrou2 (on December 17, 2010):

adding

request.META["CSRF_COOKIE"] = _get_new_csrf_key()

will allow you to use {% crsf_token %} in further requests

class FacebookCsrfMiddleware(object):
    """
    Facebook CSRF protection
    """
    def process_request(self, request):
        signed_request = request.REQUEST.get('signed_request', None)
        signed_request = parse_signed_request(signed_request, settings.FACEBOOK_SECRET_KEY)
        if signed_request != None:
            from django.middleware.csrf import _get_new_csrf_key
            request.META["CSRF_COOKIE"] = _get_new_csrf_key()
            request.csrf_processing_done = True

#

subhranath (on March 22, 2011):

why not put a simple 'csrf_exempt' decorator on the view that where the 'signed_request' is encountered. Solves the need for the 'request.META["CSRF_COOKIE"] = _get_new_csrf_key()' anyway.

P.S. I'm assuming that we wont use this view for making any other sort of POST.

#

subhranath (on March 22, 2011):

And the rest of the views won't even have to go through the extra layer of the middleware stack. And even more, there won't even be a chance of POST parameter name clash of 'signed_request' intended for some other view, the use of which is very much probable in such this case.

#

Please login first before commenting.