From: Ben Darnell <ben@bendarnell.com>
Date: Thu, 10 Feb 2011 01:09:57 +0000 (-0800)
Subject: Check XSRF tokens on all non-idempotent requests instead of just POST.
X-Git-Tag: v1.2.0~33
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b7e8930b82213b6e4d45f01cc5e6ce1a370659bd;p=thirdparty%2Ftornado.git

Check XSRF tokens on all non-idempotent requests instead of just POST.
---

diff --git a/tornado/web.py b/tornado/web.py
index 20dbcae71..01ba81bb6 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -853,7 +853,7 @@ class RequestHandler(object):
                 raise HTTPError(405)
             # If XSRF cookies are turned on, reject form submissions without
             # the proper cookie
-            if self.request.method == "POST" and \
+            if self.request.method not in ("GET", "HEAD") and \
                self.application.settings.get("xsrf_cookies"):
                 self.check_xsrf_cookie()
             self.prepare()