Check XSRF tokens on all non-idempotent requests instead of just POST.

author Ben Darnell <ben@bendarnell.com>

Thu, 10 Feb 2011 01:09:57 +0000 (17:09 -0800)

committer Ben Darnell <ben@bendarnell.com>

Thu, 10 Feb 2011 01:09:57 +0000 (17:09 -0800)
author Ben Darnell <ben@bendarnell.com>
Thu, 10 Feb 2011 01:09:57 +0000 (17:09 -0800)
committer Ben Darnell <ben@bendarnell.com>
Thu, 10 Feb 2011 01:09:57 +0000 (17:09 -0800)
diff --git a/tornado/web.py b/tornado/web.py

index 20dbcae7198cb96b5f06b8838325bf96a4b78edd..01ba81bb6cdaa0723913c1780d9441866ed451dd 100644 (file)
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -853,7 +853,7 @@ class RequestHandler(object):
                  raise HTTPError(405)
              # If XSRF cookies are turned on, reject form submissions without
              # the proper cookie
-            if self.request.method == "POST" and \
+            if self.request.method not in ("GET", "HEAD") and \
                 self.application.settings.get("xsrf_cookies"):
                  self.check_xsrf_cookie()
              self.prepare()
author	Ben Darnell <ben@bendarnell.com>
	Thu, 10 Feb 2011 01:09:57 +0000 (17:09 -0800)
committer	Ben Darnell <ben@bendarnell.com>
	Thu, 10 Feb 2011 01:09:57 +0000 (17:09 -0800)