From e217946215175f05be24b41a61b3311d43d52365 Mon Sep 17 00:00:00 2001 From: Ilona Podliashanyk Date: Tue, 5 Nov 2024 12:57:23 +0100 Subject: [PATCH 1/2] Always render hidden CSRF token input in reusable non-crispy templates --- .../web/templates/custom_crispy_templates/_form_content.html | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/python/nav/web/templates/custom_crispy_templates/_form_content.html b/python/nav/web/templates/custom_crispy_templates/_form_content.html index aa163528d2..b2e5cc6658 100644 --- a/python/nav/web/templates/custom_crispy_templates/_form_content.html +++ b/python/nav/web/templates/custom_crispy_templates/_form_content.html @@ -1,9 +1,7 @@ {# NB! This template can be used directly (without form template wrapper) for cases where form.helper.form_tag is set to False. #} {% load forms %} -{% if form.attrs.method|lower == 'post' %} - {% csrf_token %} -{% endif %} +{% csrf_token %} {% include 'foundation-5/errors.html' %} From 713ce0f153628bdc50d8757aaab880ba478b221f Mon Sep 17 00:00:00 2001 From: Ilona Podliashanyk Date: Wed, 6 Nov 2024 15:34:51 +0100 Subject: [PATCH 2/2] Update changelog --- changelog.d/3157.security.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/3157.security.md diff --git a/changelog.d/3157.security.md b/changelog.d/3157.security.md new file mode 100644 index 0000000000..ef8cd2e57c --- /dev/null +++ b/changelog.d/3157.security.md @@ -0,0 +1 @@ +Ensure that CSRF token info is included when reusing NAV's form templates. This means that flat_form.html and _form_content.html templates will always include a hidden CSRF token input regardless of which form method is set.