From a61386cbbcbe3e68bcdf0a98c23547117a496fec Mon Sep 17 00:00:00 2001 From: Tim Abbott Date: Fri, 30 Dec 2016 20:31:01 -0800 Subject: [PATCH] github: Fix GitHub integration CSRF issue. The new GitHub dispatcher integration was apparently totally broken, because we hadn't tagged the new dispatcher endpoint as exempt from CSRF checking. I'm not sure why the test suite didn't catch this. --- zerver/views/webhooks/github_dispatcher.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/zerver/views/webhooks/github_dispatcher.py b/zerver/views/webhooks/github_dispatcher.py index 27c450be30..420bf10c1e 100644 --- a/zerver/views/webhooks/github_dispatcher.py +++ b/zerver/views/webhooks/github_dispatcher.py @@ -1,9 +1,12 @@ from __future__ import absolute_import from django.http import HttpRequest, HttpResponse +from django.views.decorators.csrf import csrf_exempt from .github_webhook import api_github_webhook from .github import api_github_landing - +# Since this dispatcher is an API-style endpoint, it needs to be +# explicitly marked as CSRF-exempt +@csrf_exempt def api_github_webhook_dispatch(request): # type: (HttpRequest) -> HttpResponse if request.META.get('HTTP_X_GITHUB_EVENT'):