disable csrf in dpaste

Question

disable csrf in dpaste

datta90 opened this issue 2 years ago · 8 comments

i am using dpaste docker image but i once i try to generate any link for my text it is always showing csrf protection issue . can anyone help how to disable this feature

datta90 commented 2 years ago

thanks

Answer 1 · 2022-08-09T04:01:13.000Z

In your settings add,

CSRF_COOKIE_SECURE = False

Answer 2 · 2024-04-29T17:38:05.000Z

I added CSRF_COOKIE_SECURE = False to dpaste/apps.py like so, rebuilt and ran the image, but am still getting:

Forbidden (403)
CSRF verification failed. Request aborted.
More information is available with DEBUG=True.

You can check my instance here.

Answer 3 · 2024-04-29T23:18:19.000Z

The changes should be done to local.py https://github.com/DarrenOfficial/dpaste/blob/master/dpaste/settings/local.py.example <-

Answer 4 · 2024-04-30T00:20:28.000Z

I added CSRF_COOKIE_SECURE = False to my local.py, rebuilt and ran the image and am still getting the 403 error. The local.py also has DEBUG = True, and I can see this in my instance when the 403 error occurs because it shows the debug information. So, it took my custom local.py, but the CSRF disabling still doesn't work?

Edit: So, it works without https. I suppose this is intended and the way it works?

Answer 5 · 2024-05-02T17:08:31.000Z

I've responded to your email 🙂

Edit: So, it works without https. I suppose this is intended and the way it works?

Definitely not

-- From email
Could you show me your docker configuration / docker compose file;

Additionally are you using a proxy server (i.e. NGINX, Apache, Trafeik, Caddy, ect...), if so could you send the configuration of that as well; the error might be because of a misconfigured proxy

Answer 6 · 2024-05-02T17:42:25.000Z

Edit: So, it works without https. I suppose this is intended and the way it works?

What I meant was it would work without https, not that it should be run without. 😅

Could you show me your docker configuration / docker compose file;

I didn't touch the original Docker files. But, the command I'm using to run the Docker container is: docker run --rm -p 8001:8000 -e --detach dpaste:csrf.

Additionally are you using a proxy server

I'm using NGINX. In /etc/nginx/sites-available/mnpd.conf:

server {
    server_name mnpd.khkm.dev www.mnpd.khkm.dev;
    server_tokens off;
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
	proxy_pass http://0.0.0.0:8001;
	proxy_buffering off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP \$remote_addr;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mnpd.khkm.dev/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mnpd.khkm.dev/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = mnpd.khkm.dev) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    server_name mnpd.khkm.dev www.mnpd.khkm.dev;
    return 404; # managed by Certbot
}

Answer 7 · 2024-05-03T03:29:54.000Z

I see, try this reverse proxy config; this is what dpaste use in prod.

location ^~ /
{
    proxy_pass http://127.0.0.1:8001;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header REMOTE-HOST $remote_addr;

    #Persistent connection related configuration - Optional dpaste.org has it enabled.
    #add_header Access-Control-Allow-Origin *;

}