Django的评论框架和CSRF [英] Django's comments framework and CSRF
问题描述
我知道 Django的评论框架是为匿名的公众意见,像你通常看到一个博客或一个artcile下面。换句话说,任何人都可以发表评论。
I understand that the Django's comments framework was designed for anonymous public comments like you commonly see below a blog or an artcile. In other words, anyone can post comments.
我正在使用评论框架,只允许登录的用户显示评论。 我曾经修改过 form.html ,并隐藏名称, URL 和电子邮件字段(使安全字段保持不变)。所以用户只能看到一个注释字段。我想使用Django的评论,因为它已经有一些很好的安全功能,如时间戳检查,蜜罐字段和反双重功能。用户信息从 request.user中获取 RequestContext ,并且我得到关于该注释的用户信息 comment.user.get_full_name 反对 comment.name 或 comment.user.email vs comment.email 。
I am using the comments framework for only allowing logged in users to display comments. What I did was modify the form.html and hid the name, URL, and email field (leaving the security fields intact). So pretty much the user only sees a comment field. I wanted to use Django's comments since it already has some nice security features like timestamp check, honeypot field, and anti-double-posting features. The user information is grabbed from the request.user RequestContext and I get the user information about the comment by comment.user.get_full_name as oppose to comment.name or comment.user.email vs comment.email.
我也开始阅读有关Django的CSRF保护。在大多数情况下,人们谈论CSRF如何防止黑客通过使用他们的cookie或某些东西从登录的用户的银行帐户转账。
I also start to read up about Django's CSRF protection. In most cases, people talk about how CSRF prevent hackers to, say, transfer money from a logged in user's bank account by using their cookie or something.
在我的情况下, CSRF是否阻止其他用户发布?换句话说,一个黑客可以创建自己的POST表单并在不同的 user.pk 之间发布以伪造其他人?
In my case, does CSRF prevent people from posting as other users? In other words, can a hacker create their own POST form and post under a different user.pk to fake other people?
推荐答案
要直接回答您的问题 - 否,CSRF不允许黑客假装成为另一个用户并提交评论。可能允许的是攻击者使真正的登录用户为他们提交评论。
To directly answer your question -- no, CSRF doesn't allow a hacker to pretend to be another user and submit a comment. What it could allow is an attacker to make a real, logged in user submit the comment for them.
CSRF是一个没有权限访问资源技巧的人的攻击确实有权访问它。
A CSRF is an attack where someone without permission to access a resource tricks someone who does have permission into accessing it.
所以,例如,CSRF保护可以防止某人欺骗用户发布其中的垃圾邮件或恶意软件链接的评论。或者,他们欺骗用户的请求可能会发生错误,导致您的网络服务器崩溃,或者包含旨在通过验证过程的代码,并导致数据库损坏或以其他方式损害您的站点。
So, for example, CSRF protection could prevent someone from tricking a user into posting a comment with a spam or malware link in it. Alternatively, the request they trick the user into making could be malformed, made to crash your webserver, or include code meant to slip through the validation process and cause damage to your database or compromise your site in other ways.
因此,没有CSRF保护,理论上可以让一个登录用户提交他们没有写的评论。
So without CSRF protection someone could, theoretically, trick a logged in user into submitting a comment they didn't actually write.
CSRF保护,Django将检测到您的网站不是通过实际表单提交的真实数据,并将拒绝。
With CSRF protection, Django will detect that it wasn't real data submitted through the actual form on your site, and will reject it.
这篇关于Django的评论框架和CSRF的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
