From 5737916435bfeaec27dfd64af918bd8c7ae6ac0f Mon Sep 17 00:00:00 2001
From: jordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>
Date: Mon, 18 Apr 2011 17:28:53 +0000
Subject: [PATCH] enabling the CSRF protection middleware and adding the {%
 csrf_token %} tag to the forms, now OSQA is protected from Cross Site Request
 Forgery attacks

git-svn-id: http://svn.osqa.net/svnroot/osqa/trunk@988 0cfe37f9-358a-4d5e-be75-b63607b5c754
---
 forum/skins/default/templates/answer_edit.html              | 3 ++-
 forum/skins/default/templates/ask.html                      | 1 +
 forum/skins/default/templates/auth/auth_settings.html       | 1 +
 forum/skins/default/templates/auth/complete.html            | 2 ++
 forum/skins/default/templates/auth/signin.html              | 4 ++++
 forum/skins/default/templates/auth/temp_login_request.html  | 1 +
 forum/skins/default/templates/close.html                    | 1 +
 forum/skins/default/templates/feedback.html                 | 1 +
 forum/skins/default/templates/header.html                   | 1 +
 forum/skins/default/templates/node/comments.html            | 1 +
 forum/skins/default/templates/notarobot.html                | 1 +
 forum/skins/default/templates/osqaadmin/createuser.html     | 1 +
 forum/skins/default/templates/osqaadmin/edit_page.html      | 1 +
 forum/skins/default/templates/osqaadmin/maintenance.html    | 1 +
 forum/skins/default/templates/osqaadmin/moderation.html     | 1 +
 forum/skins/default/templates/osqaadmin/nodeman.html        | 4 ++++
 forum/skins/default/templates/osqaadmin/set.html            | 1 +
 forum/skins/default/templates/question.html                 | 1 +
 forum/skins/default/templates/question_edit.html            | 3 ++-
 forum/skins/default/templates/question_retag.html           | 3 ++-
 forum/skins/default/templates/reopen.html                   | 6 ++----
 forum/skins/default/templates/search.html                   | 1 +
 forum/skins/default/templates/users/edit.html               | 1 +
 forum/skins/default/templates/users/preferences.html        | 1 +
 .../default/templates/users/subscriptions_settings.html     | 1 +
 forum_modules/akismet/templates/foundspam.html              | 1 +
 forum_modules/exporter/templates/exporter.html              | 1 +
 forum_modules/sximporter/templates/page.html                | 1 +
 settings.py                                                 | 1 +
 29 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/forum/skins/default/templates/answer_edit.html b/forum/skins/default/templates/answer_edit.html
index 985addd..9409f0d 100644
--- a/forum/skins/default/templates/answer_edit.html
+++ b/forum/skins/default/templates/answer_edit.html
@@ -63,7 +63,8 @@
 </div>
 <div id="main-body" class="ask-body">
     <div id="askform">
-        <form id="fmedit" action="{% url edit_answer answer.id %}" method="post" >
+        <form id="fmedit" action="{% url edit_answer answer.id %}" method="post">
+            {% csrf_token %}
             <label for="id_revision" ><strong>{% trans "revision" %}:</strong></label> <br/> 
             {% if revision_form.revision.errors %}{{ revision_form.revision.errors.as_ul }}{% endif %}
             <div>
diff --git a/forum/skins/default/templates/ask.html b/forum/skins/default/templates/ask.html
index 26f5fae..f2b5b53 100644
--- a/forum/skins/default/templates/ask.html
+++ b/forum/skins/default/templates/ask.html
@@ -94,6 +94,7 @@
 <div id="main-body" class="ask-body">
     <div id="askform">
         <form id="fmask" action="" method="post" accept-charset="utf-8">
+            {% csrf_token %}
 			{% if not request.user.is_authenticated %}
             <div class="message">
                 <span class="strong big">{% trans "You are welcome to start submitting your question anonymously." %}</span>
diff --git a/forum/skins/default/templates/auth/auth_settings.html b/forum/skins/default/templates/auth/auth_settings.html
index 8b52019..969036d 100644
--- a/forum/skins/default/templates/auth/auth_settings.html
+++ b/forum/skins/default/templates/auth/auth_settings.html
@@ -27,6 +27,7 @@
 {% endif %}
 <div class="aligned">
 	<form action="" method="post" accept-charset="utf-8">
+        {% csrf_token %}
         <ul id="changepw-form" class="form-horizontal-rows">
         {{form.as_ul}}
         </ul>
diff --git a/forum/skins/default/templates/auth/complete.html b/forum/skins/default/templates/auth/complete.html
index 5b293eb..79f10dc 100644
--- a/forum/skins/default/templates/auth/complete.html
+++ b/forum/skins/default/templates/auth/complete.html
@@ -34,6 +34,7 @@
 
 	<div class="login">
         <form name="fregister" action="" method="POST">
+            {% csrf_token %}
             {{ form1.next }}
             <div class="form-row-vertical margin-bottom">
                 <label for="id_username">{{ form1.username.label }}</label>
@@ -81,6 +82,7 @@
     {% if form2 %}
 	<div class="login" style="display:none">
         <form name="fverify" action="{% url user_register %}" method="POST">
+            {% csrf_token %}
             {{ form2.next }}
 			<fieldset style="padding:10px">
 				<legend class="big">{% trans "Existing account" %}</legend>
diff --git a/forum/skins/default/templates/auth/signin.html b/forum/skins/default/templates/auth/signin.html
index 19dee07..5514cc5 100644
--- a/forum/skins/default/templates/auth/signin.html
+++ b/forum/skins/default/templates/auth/signin.html
@@ -28,6 +28,7 @@
     {% endif %}
     {% for provider in top_stackitem_providers %}
         <form class="signin_form" method="POST" action="{% url auth_provider_signin provider=provider.id %}" accept-charset="utf-8">
+            {% csrf_token %}
             {% include provider.stack_item_template %}
             <input type="hidden" class="validate_email" name="validate_email" value="yes" />
         </form>
@@ -86,18 +87,21 @@
         {% endfor %}
     </div>
     <form name="signin_form" id="signin_form" class="signin_form" method="POST" action="">
+        {% csrf_token %}
         <div id="signin_form_slot"></div>
         <input type="hidden" class="validate_email" name="validate_email" value="yes" />
     </form>
     {% for provider in stackitem_providers %}
         <h3 class="or_label">{% trans 'Or...' %}</h3>
         <form class="signin_form" method="POST" action="{% url auth_provider_signin provider=provider.id %}" accept-charset="utf-8">
+            {% csrf_token %}
             {% include provider.stack_item_template %}
             <input type="hidden" class="validate_email" name="validate_email" value="yes" />
         </form>
     {% endfor %}
     <h3 class="or_label">{% trans 'Or...' %}</h3>
     <form name="signin_form" id="dummy_form_unused" class="signin_form" method="POST" action="">
+        {% csrf_token %}
         <fieldset>
             {% trans 'Click' %} <a href="{% url auth_request_tempsignin %}">{% trans 'here' %}</a> {% trans "if you're having trouble signing in." %}
         </fieldset>
diff --git a/forum/skins/default/templates/auth/temp_login_request.html b/forum/skins/default/templates/auth/temp_login_request.html
index 772f18f..70f740e 100644
--- a/forum/skins/default/templates/auth/temp_login_request.html
+++ b/forum/skins/default/templates/auth/temp_login_request.html
@@ -19,6 +19,7 @@
         </ul>
 	{% endif %}
 	<form action="" method="post" accept-charset="utf-8">
+        {% csrf_token %}
         <ul id="changepw-form" class="form-horizontal-rows">
         {{form.as_ul}}
         </ul>
diff --git a/forum/skins/default/templates/close.html b/forum/skins/default/templates/close.html
index d9e7350..2e8af8d 100644
--- a/forum/skins/default/templates/close.html
+++ b/forum/skins/default/templates/close.html
@@ -21,6 +21,7 @@
     </p>   
     
     <form id="fmclose" action="{% url close question.id %}" method="post" >
+        {% csrf_token %}
         <p>
             <strong>{% trans "Reasons" %}:</strong> {{ form.reason }}
         </p>
diff --git a/forum/skins/default/templates/feedback.html b/forum/skins/default/templates/feedback.html
index 38bb48f..f4a4781 100644
--- a/forum/skins/default/templates/feedback.html
+++ b/forum/skins/default/templates/feedback.html
@@ -12,6 +12,7 @@
 </div>
 <div class="content">
     <form method="post" action="{% url feedback %}" accept-charset="utf-8">
+        {% csrf_token %}
         {% if user.is_authenticated %}
             <p class="message">
             {% blocktrans with user.username as user_name %}
diff --git a/forum/skins/default/templates/header.html b/forum/skins/default/templates/header.html
index 0e2d28c..0e3a73f 100644
--- a/forum/skins/default/templates/header.html
+++ b/forum/skins/default/templates/header.html
@@ -25,6 +25,7 @@
   
 	<div id="searchBar">
     <form action="{% url search %}" method="get">
+        {% csrf_token %}
         <div>
             <input type="text" class="searchInput" value="{{ keywords }}" name="q" id="keywords" />
             <input type="submit" name="Submit" value="{% trans "search" %}" class="searchBtn" />
diff --git a/forum/skins/default/templates/node/comments.html b/forum/skins/default/templates/node/comments.html
index 9105f56..d4f9b62 100644
--- a/forum/skins/default/templates/node/comments.html
+++ b/forum/skins/default/templates/node/comments.html
@@ -48,6 +48,7 @@
 <div id="comment-{{ post.id }}-form-container" class="comment-form-container">
     {% if can_comment %}
     <form id="comment-{{ post.id }}-form" method="post" action="{% url comment id=post.id %}" accept-charset="utf-8">
+        {% csrf_token %}
         <div class="comment-form-widgets-container">
             <textarea name="comment" class="commentBox"></textarea>
             <div class="comment-form-buttons">
diff --git a/forum/skins/default/templates/notarobot.html b/forum/skins/default/templates/notarobot.html
index 698c569..dae82b4 100644
--- a/forum/skins/default/templates/notarobot.html
+++ b/forum/skins/default/templates/notarobot.html
@@ -4,6 +4,7 @@
 {% block content %}
 {% comment %} this form is set up to be used in wizards {% endcomment %}
 <form name="notarobot" action="." method="POST">
+    {% csrf_token %}
     <div>
     {{form}}
     </div>
diff --git a/forum/skins/default/templates/osqaadmin/createuser.html b/forum/skins/default/templates/osqaadmin/createuser.html
index 4b0ed8c..65c61b9 100644
--- a/forum/skins/default/templates/osqaadmin/createuser.html
+++ b/forum/skins/default/templates/osqaadmin/createuser.html
@@ -12,6 +12,7 @@
 
 {% block admincontent %}
     <form action="" method="POST">
+        {% csrf_token %}
         <table>
             {{ form.as_table }}
             <tr><th></th><td><input type="submit" value="{% trans "Save" %}"></td></tr>
diff --git a/forum/skins/default/templates/osqaadmin/edit_page.html b/forum/skins/default/templates/osqaadmin/edit_page.html
index d8d251f..ea7c0a9 100644
--- a/forum/skins/default/templates/osqaadmin/edit_page.html
+++ b/forum/skins/default/templates/osqaadmin/edit_page.html
@@ -14,6 +14,7 @@
 
 {% block admincontent %}
     <form action="" method="post" accept-charset="utf-8">
+        {% csrf_token %}
         <table style="width: 100%">
         {{ form.as_table }}
         <tr>
diff --git a/forum/skins/default/templates/osqaadmin/maintenance.html b/forum/skins/default/templates/osqaadmin/maintenance.html
index 38d1d0e..0e4a732 100644
--- a/forum/skins/default/templates/osqaadmin/maintenance.html
+++ b/forum/skins/default/templates/osqaadmin/maintenance.html
@@ -8,6 +8,7 @@
 
 {% block admincontent %}
 <form method="POST" action="">
+    {% csrf_token %}
     {% if in_maintenance %}
         <h1>{% trans "Your site is currently running on maintenance mode." %}</h1>
         <p>{% trans "You can adjust the settings bellow" %}</p>
diff --git a/forum/skins/default/templates/osqaadmin/moderation.html b/forum/skins/default/templates/osqaadmin/moderation.html
index 688c897..050f1f1 100644
--- a/forum/skins/default/templates/osqaadmin/moderation.html
+++ b/forum/skins/default/templates/osqaadmin/moderation.html
@@ -9,6 +9,7 @@
 {% block admincontent %}
     <div class="module">
         <form action="" id="changelist" method="POST">
+            {% csrf_token %}
             <div class="actions">
                 {% trans "Verify:" %}
                 <input type="text" size="3" name="limit" id="filter-limit" value="5" />
diff --git a/forum/skins/default/templates/osqaadmin/nodeman.html b/forum/skins/default/templates/osqaadmin/nodeman.html
index 997fab5..ea97d12 100644
--- a/forum/skins/default/templates/osqaadmin/nodeman.html
+++ b/forum/skins/default/templates/osqaadmin/nodeman.html
@@ -268,6 +268,7 @@
     <div id="changelist" class="module filtered">
         <div id="toolbar">
             <form method="get" action="" id="changelist-search">
+            {% csrf_token %}
             <div>
                 <div>
                     <label><img alt="Search" src="{{ settings.ADMIN_MEDIA_PREFIX }}img/admin/icon_searchbox.png"></label>
@@ -393,18 +394,21 @@
                 {% endfor %}
             </ul>
             <form action="" method="POST">
+                {% csrf_token %}
                 <input name="filter_name" type="text" size="20" id="filter-name-box" style="color: #AAA;" value="{% trans "Filter name..." %}" />
                 <button name="save_filter" value="0" style="color: #AAA;" title="{% trans "Click to save the current filter" %}" id="save-filter-button" disabled="disabled" class="button">{% trans "Save" %}</button>
             </form>
 
             {% comment %}<h3>{% trans "Show" %}</h3>
             <form action="" method="get">
+                {% csrf_token %}
                 <div>{{ show_form.show }}</div>
                 <input type="submit" value="{% trans "Refresh" %}" />
             </form>{% endcomment %}
             </div>
         </div>
         <form id="changelist-form" method="POST" action="">
+            {% csrf_token %}
             <div class="actions">
                 <label>
                     {% trans "Action" %}:
diff --git a/forum/skins/default/templates/osqaadmin/set.html b/forum/skins/default/templates/osqaadmin/set.html
index 5cc427d..3128d79 100644
--- a/forum/skins/default/templates/osqaadmin/set.html
+++ b/forum/skins/default/templates/osqaadmin/set.html
@@ -8,6 +8,7 @@
 
 {% block admincontent %}
     <form action="" method="POST" enctype="multipart/form-data" accept-charset="utf-8">
+        {% csrf_token %}
         <table id="admin_form" style="width: 100%">
             {{ form.as_table }}
             <tr>
diff --git a/forum/skins/default/templates/question.html b/forum/skins/default/templates/question.html
index c6c4cde..9eff07c 100644
--- a/forum/skins/default/templates/question.html
+++ b/forum/skins/default/templates/question.html
@@ -179,6 +179,7 @@
                 </div>
             {% endif %}
         <form id="fmanswer" action="{% url answer question.id %}" method="post">
+            {% csrf_token %}
             <div style="clear:both">
             </div>
             
diff --git a/forum/skins/default/templates/question_edit.html b/forum/skins/default/templates/question_edit.html
index 4177074..4ee8060 100644
--- a/forum/skins/default/templates/question_edit.html
+++ b/forum/skins/default/templates/question_edit.html
@@ -92,7 +92,8 @@
 </div>
 <div id="main-body" class="ask-body">
     <div id="askform">
-        <form id="fmedit" action="" method="post" >
+        <form id="fmedit" action="" method="post">
+            {% csrf_token %}
             <label for="id_revision" ><strong>{% trans "revision" %}:</strong></label> <br/> 
             {% if revision_form.revision.errors %}{{ revision_form.revision.errors.as_ul }}{% endif %}
             <div style="vertical-align:middle">
diff --git a/forum/skins/default/templates/question_retag.html b/forum/skins/default/templates/question_retag.html
index 9050e25..f0da4ff 100644
--- a/forum/skins/default/templates/question_retag.html
+++ b/forum/skins/default/templates/question_retag.html
@@ -59,7 +59,8 @@
 </div>
 <div id="main-body" class="ask-body">
     <div id="askform">
-        <form id="fmretag" action="{% url edit_question question.id %}" method="post" >
+        <form id="fmretag" action="{% url edit_question question.id %}" method="post">
+            {% csrf_token %}
             <h3>
                 {{ question.headline }}
             </h3>
diff --git a/forum/skins/default/templates/reopen.html b/forum/skins/default/templates/reopen.html
index cd0c37b..7de075e 100644
--- a/forum/skins/default/templates/reopen.html
+++ b/forum/skins/default/templates/reopen.html
@@ -23,14 +23,12 @@
         </strong>
     </p>
     
-    <form id="fmclose" action="{% url reopen question.id %}" method="post" >
-
+    <form id="fmclose" action="{% url reopen question.id %}" method="post">
+        {% csrf_token %}
         <div id="" style="padding:20px 0 20px 0">
             <input type="submit" value="{% trans "Reopen this question" %}" class="submit" />
             <input id="btBack" type="button" value="{% trans "Cancel" %}"  class="submit"  />
-            
         </div>
-        
     </form>
 </div>
 {% endblock %}
diff --git a/forum/skins/default/templates/search.html b/forum/skins/default/templates/search.html
index e413abd..05b9de6 100644
--- a/forum/skins/default/templates/search.html
+++ b/forum/skins/default/templates/search.html
@@ -10,6 +10,7 @@
 </div>
 <div id="main-body" style="text-align: center; height: 400px;">
 <form action="{% url search %}" method="get">
+    {% csrf_token %}
     <div>
         <input type="text" class="searchInput" value="{{ keywords }}" name="q" id="keywords" style="width: 600px" />
         <input type="submit" name="Submit" value="{% trans "search" %}" class="searchBtn" />
diff --git a/forum/skins/default/templates/users/edit.html b/forum/skins/default/templates/users/edit.html
index 3240fd2..09292fe 100644
--- a/forum/skins/default/templates/users/edit.html
+++ b/forum/skins/default/templates/users/edit.html
@@ -34,6 +34,7 @@
 </div>
 <div id="main-body" style="width:100%;padding-top:10px">
     <form name="" action="{% url edit_user user.id %}" method="post">
+        {% csrf_token %}
         <div id="left" style="float:left;width:180px">
             {% if user.email %}
             {% gravatar user 128 %}
diff --git a/forum/skins/default/templates/users/preferences.html b/forum/skins/default/templates/users/preferences.html
index f9393ac..eb223d3 100644
--- a/forum/skins/default/templates/users/preferences.html
+++ b/forum/skins/default/templates/users/preferences.html
@@ -6,6 +6,7 @@
     <h2>{% trans "Preferences" %}</h2>
     <div class='inline-block'>
     <form method="POST">
+        {% csrf_token %}
         <p class="message">
             {% trans "Here you can set some personal preferences." %}
         </p>
diff --git a/forum/skins/default/templates/users/subscriptions_settings.html b/forum/skins/default/templates/users/subscriptions_settings.html
index 6232d13..7675db3 100644
--- a/forum/skins/default/templates/users/subscriptions_settings.html
+++ b/forum/skins/default/templates/users/subscriptions_settings.html
@@ -10,6 +10,7 @@
 </p>
 <div class='inline-block'>
 <form method="POST">
+    {% csrf_token %}
     {{ form.errors }}
     <table class="form-as-table">
         <tr>
diff --git a/forum_modules/akismet/templates/foundspam.html b/forum_modules/akismet/templates/foundspam.html
index 77251c7..582d615 100644
--- a/forum_modules/akismet/templates/foundspam.html
+++ b/forum_modules/akismet/templates/foundspam.html
@@ -14,6 +14,7 @@ If you believe this is an error, please contact the forum administrator.
 
 {% if captcha_form.recaptcha %}
 <form action="." method="post">
+{% csrf_token %}
 <table>
 	<tr>
 		<td>
diff --git a/forum_modules/exporter/templates/exporter.html b/forum_modules/exporter/templates/exporter.html
index 78c12c7..d306480 100644
--- a/forum_modules/exporter/templates/exporter.html
+++ b/forum_modules/exporter/templates/exporter.html
@@ -25,6 +25,7 @@
     <strong>{% trans "Start new backup" %}</strong>
 </p>
 <form method="POST" action="">
+    {% csrf_token %}
     <table>
     {{ form.as_table }}
     </table>
diff --git a/forum_modules/sximporter/templates/page.html b/forum_modules/sximporter/templates/page.html
index 0011d1d..42de46d 100644
--- a/forum_modules/sximporter/templates/page.html
+++ b/forum_modules/sximporter/templates/page.html
@@ -12,6 +12,7 @@
 
 {% block admincontent %}
     <form method="post" action="" enctype="multipart/form-data">
+    {% csrf_token %}
     <input type="file" name="dump" /><br>
     {% trans "Your user id in stack exchange" %}
     <input type="test" name="owneruid" size="3" value="2" /><br />
diff --git a/settings.py b/settings.py
index de55240..83e59c3 100644
--- a/settings.py
+++ b/settings.py
@@ -15,6 +15,7 @@ TEMPLATE_LOADERS = [
 ]
 
 MIDDLEWARE_CLASSES = [
+    'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.common.CommonMiddleware',
     'forum.middleware.extended_user.ExtendedUser',
-- 
2.45.1