1

I'm trying to access a Django page through a Facebook App (iframe) I made using fb.py on DreamHost and I keep getting an internal server error.

Looking in the error logs, this is what I see:

ModSecurity: Output filter: Failed to read bucket (rc 104): Connection reset by peer

I think it just has to do with the POST request. Somebody else asked about this error on a number of forums almost a year ago, to no avail:

ModSecurity: Output filter: Failed to read bucket (rc 104): Connection reset by peer

All I could find searching was this at http://www.modsecurity.org:

"When mod_security denies such a request, it sends an error bucket with e.g. code 403 down the output filter chain, leaving r->status as is (e.g. 500)."

Any ideas? Thanks!

Community
  • 1
  • 1
fieryred
  • 105
  • 1
  • 1
  • 8

2 Answers2

0

Have you implemented CSRF protection as per https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax ?

Note to cross-check with the version of Django you are using.

Richard Boardman
  • 1,268
  • 15
  • 12
0

So I've spent way too much time trying to figure this out. I've settled on a (slightly shitty) work-around: add {% csrf_token %} to any place in your template (I'm assuming you passed in the context_instance=RequestContext(request) argument to your render_to_response or whatever).

I think what is happening is that the cookie doesn't actually get set (this can be confirmed through inspecting the cookies in any browser's development tools). Adding the above code to your template forces this. I have a feeling that this may be remedied in later versions of Django, and it seems as though there are obvious fixes for 1.4+ (e.g., see here). Unfortunately dreamhost has stuck us with 1.2.3, so we need to make do.

haz
  • 625
  • 4
  • 12
  • This is not a "work around", but it is what you are supposed to do in the first place. You need to add `{% csrf_token %}` the the template that defines a form that is `POST`ed to your view. The fix you mention has been there since CSRF was implemented. You can use it in 1.2 as well. – Burhan Khalid Apr 02 '12 at 04:54
  • I didn't get that impression from any tutorial -- it should be noted that I don't have a particular form in my html. It's just a jQuery handler that will fire off a `POST` request at the appropriate time. I realize that inserting `{% csrf_token %}` inside a typical form is what's suggested but when you don't have one it seems unclear to me. – haz Apr 02 '12 at 15:55
  • Aye, I've been through that page dozens of times. For 1.2, there doesn't seem to be a workaround for pages _without_ a form element. For later versions, [there are](https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#page-uses-ajax-without-any-html-form). – haz Apr 02 '12 at 18:11