Wednesday, May 16, 2018

More about security

Abdelkader reported that my trick for activating clickjacking protection (see Sunday, May 13, 2018) was buggy (I forgot that settings.py is being imported twice) and insufficient (there are more protection mechanismes described in Django’s topic guide about Security in Django). He suggested to add security already in the Lino core “to be in security by default”. As a first step into this direction I added a new attribute use_security_features to lino.core.site.Site. I also adapted the Security of Lino applications page and 4 test cases in The Lino Book.

I deployed this to Jane in order to see whether it behaves as expected, which showed that for CsrfViewMiddleware it is not enough to simply add the middleware. When the middleware is active, Django requires every POST to also have a CSRF token. Without that token, every POST (and PUT and DELETE) will get “Forbidden (CSRF cookie not set.)”

https://docs.djangoproject.com/en/1.11/ref/csrf/

So in order to get CSRF protection, we must add the csrf_token to our forms and make the client extract that token and add it to their POST. It’s probably not a big code change, but it won’t be trivial to find out how to weave it into Lino and test it. I opened #2389. Maybe this should wait until the OpenUI5 user interface is ready…

>>> from django.template.context_processors import csrf
>>> d = csrf(req)

Also I noticed that the demo projects don’t work when use_security_features is True. Yes, of course: they don’t run behind a secure (https) server.

The easiest solution for this is to make use_security_features default to False. And adpat Security of Lino applications again.

Maximum time limit for jobs on Travis

Oops, I got a “The job exceeded the maximum time limit for jobs, and has been terminated” on travis.

It seems that this limit is 120 minutes and cannot be changed (*)

But the next build then passed again. So maybe it was a temporary problem, maybe a blocking download of some dependency.