Bug 700337

Summary: EPEL5 uses Django 1.x so needs different CSRF fix
Product: [Fedora] Fedora EPEL Reporter: Dwayne Bailey <dwayne>
Component: pootleAssignee: Dwayne Bailey <dwayne>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: el5CC: dwayne
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-06 10:38:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dwayne Bailey 2011-04-28 07:39:49 UTC 
The following comments from the translate-pootle mailing list address the issue of 1.2 vs 1.1 version of Django and the required fixes:

http://docs.djangoproject.com/en/1.1/ref/contrib/csrf/
http://docs.djangoproject.com/en/dev/ref/contrib/csrf/

Since I couldn't find any appropriate rpm packages for Django 1.2, I am unable at this point to update Django, and therefore applied the following (ugly) fix, and now I can review suggestions again.

In pootle/html/js/translatepage.js:
  /* Uncomment when using Django 1.2 or later */
  // if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
 //    // Only send the token to relative URLs i.e. locally.
  //   xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
 // }
  
  /* Uncomment when using Django 1.1 or earlier */
    if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
      // Only send the token to relative URLs i.e. locally.
      xhr.setRequestHeader("X-CSRFToken", $("#csrfmiddlewaretoken").val());
    }

Now I have to remember to change it back when I finally do upgrade Django... (>_<)
So if you can incorporate a more beautiful fix in the next Pootle release, that would be tremendously helpful. 

Maybe the following information can help you. With your CSRF fix in translatepage.js unchanged, the X-CSRFToken in the request header is null:
X-CSRFToken:null
X-Requested-With:XMLHttpRequest

The relevant code in Django corresponding to the script csrf.py mentioned in the other thread, seems for Django 1.1.4 to be django/contrib/csrf/middleware.py:

            csrf_token = _make_token(session_id)
            # check incoming token
            request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
            if request_csrf_token == "":
                # Fall back to X-CSRFToken, to make things easier for AJAX
                request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')

            if request_csrf_token == "":
                return HttpResponseForbidden(_ERROR_MSG)

            if request_csrf_token != csrf_token:
                return HttpResponseForbidden(_ERROR_MSG)

Cecilia
Comment 1 Dwayne Bailey 2011-04-28 07:55:41 UTC 
Please see upstream bug: http://bugs.locamotion.org/show_bug.cgi?id=1920
Comment 2 Fedora Update System 2011-06-24 11:54:06 UTC 
pootle-2.1.6-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/pootle-2.1.6-1.el6
Comment 3 Fedora End Of Life 2017-04-06 10:38:47 UTC 
Fedora EPEL 5 changed to end-of-life (EOL) status on 2017-03-31. Fedora EPEL 5
is no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora
or Fedora EPEL, please feel free to reopen this bug against that version. If
you are unable to reopen this bug, please file a new report against the current
release. If you experience problems, please add a comment to this bug.

Thank you for reporting this bug and we are sorry it could not be fixed.