Rooba
/
tornado
mirror of https://github.com/tornadoweb/tornado.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Check XSRF tokens on all non-idempotent requests instead of just POST.

This commit is contained in:
Ben Darnell 2011-02-09 17:09:57 -08:00
parent 2d42c18c36
commit b7e8930b82
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
tornado/web.py
View File

@ -853,7 +853,7 @@ class RequestHandler(object):
raise HTTPError(405)
# If XSRF cookies are turned on, reject form submissions without
# the proper cookie
if self.request.method == "POST" and \
if self.request.method not in ("GET", "HEAD") and \
self.application.settings.get("xsrf_cookies"):
self.check_xsrf_cookie()
self.prepare()