2

I understand that the Django's comments framework was designed for anonymous public comments like you commonly see below a blog or an artcile. In other words, anyone can post comments.

I am using the comments framework for only allowing logged in users to display comments. What I did was modify the form.html and hid the name, URL, and email field (leaving the security fields intact). So pretty much the user only sees a comment field. I wanted to use Django's comments since it already has some nice security features like timestamp check, honeypot field, and anti-double-posting features. The user information is grabbed from the request.user RequestContext and I get the user information about the comment by comment.user.get_full_name as oppose to comment.name or comment.user.email vs comment.email.

I also start to read up about Django's CSRF protection. In most cases, people talk about how CSRF prevent hackers to, say, transfer money from a logged in user's bank account by using their cookie or something.

In my case, does CSRF prevent people from posting as other users? In other words, can a hacker create their own POST form and post under a different user.pk to fake other people?

Community
  • 1
  • 1
hobbes3
  • 28,078
  • 24
  • 87
  • 116

1 Answers1

3

To directly answer your question -- no, CSRF doesn't allow a hacker to pretend to be another user and submit a comment. What it could allow is an attacker to make a real, logged in user submit the comment for them.

A CSRF is an attack where someone without permission to access a resource tricks someone who does have permission into accessing it.

So, for example, CSRF protection could prevent someone from tricking a user into posting a comment with a spam or malware link in it. Alternatively, the request they trick the user into making could be malformed, made to crash your webserver, or include code meant to slip through the validation process and cause damage to your database or compromise your site in other ways.

So without CSRF protection someone could, theoretically, trick a logged in user into submitting a comment they didn't actually write.

With CSRF protection, Django will detect that it wasn't real data submitted through the actual form on your site, and will reject it.

agf
  • 171,228
  • 44
  • 289
  • 238
  • What if a hacker registers and successfully logs in, and while trying to post a comment, he modifies the POST response and changes the user ID to something other than his own (but keeps everything else the same, like the CSRF). Won't he be able to post a comment as someone else then? – hobbes3 Apr 07 '12 at 20:13
  • Does that mean, I should simply ignore the `comment.user` from the user POST, and declare something like `comment.user = request.user.pk` under `views.py`? – hobbes3 Apr 07 '12 at 20:15
  • @hobbes3 Yes, that's the way to avoid it being faked. – agf Apr 08 '12 at 05:11
  • Ok, thanks for your advice. Back to my question, is my assumption on the hacking scenario about faking user comments possible? – hobbes3 Apr 08 '12 at 08:31