0

I'm using django for a website app, mostly. I need to write a canvas page to handle requests. In the simplest form, I have:

(r'^canvas/','commitments.views.canvas'),

in urls.py, and:

@csrf_exempt
def canvas(request): 
    return HttpResponse("Hello world")

in views.py. This all works fine if I load the page directly. If, however, I load the page through the Facebook canvas, I'm getting an error related to modsecurity ModSecurity: Output filter: Failed to read bucket (rc 104): Connection reset by peer [hostname "..."] [uri "/canvas/"].

Any thoughts on what I'm doing wrong here? Thanks for the help.

sean
  • 83
  • 6
  • Set `DEBUG=True` in settings.py and you will see debug output and stacktrace – Alexey Savanovich Dec 30 '11 at 22:58
  • Thanks. I've done this but for some errors I still don't get the debug output and stacktrace - not sure why, but that's the way things have been for me all along. – sean Dec 30 '11 at 23:07
  • From the Apache logs (`ModSecurity: Output filter: Failed to read bucket (rc 104): Connection reset by peer [hostname "..."] [uri "/canvas/"]`), it looks like it is a modsecurity issue? Despite exempting the page from CSRF? I'm on Dreamhost, if that helps any. – sean Dec 31 '11 at 00:55
  • There's also this post http://stackoverflow.com/questions/5975175/modsecurity-error-with-django, but no answers. – sean Dec 31 '11 at 00:57

2 Answers2

0

For now, I've been able to deal with it by turning off mod_security ("extra web security" in Dreamhost's panel).

I tried to deal with it, first, via the following .htaccess instructions, but they don't seem to have done the trick:

SetEnvIfNoCase Request_URI ^/canvas/.*$ MODSEC_ENABLE=Off
<IfModule mod_security.c>
  SecFilterSelective REQUEST_URI "^/canvas/.*$" "allow,pass"
  SecFilterScanPOST Off
</IfModule>

I'd love to be able to re-enable mod_security except to allow the canvas URI through, so if anyone has a solution for that, I'd be grateful. Thanks!

sean
  • 83
  • 6
0

(x-post from here: solution may be the same)

So I've spent way too much time trying to figure this out. I've settled on a (slightly shitty) work-around: add {% csrf_token %} to any place in your template (I'm assuming you passed in the context_instance=RequestContext(request) argument to your render_to_response or whatever).

I think what is happening is that the cookie doesn't actually get set (this can be confirmed through inspecting the cookies in any browser's development tools). Adding the above code to your template forces this. I have a feeling that this may be remedied in later versions of Django, and it seems as though there are obvious fixes for 1.4+ (e.g., see here). Unfortunately dreamhost has stuck us with 1.2.3, so we need to make do.

Community
  • 1
  • 1
haz
  • 625
  • 4
  • 12