On Fri, Mar 16, 2012 at 8:08 AM, Kevin Fenzi <kevin@xxxxxxxxx> wrote:
> Can you give an example of a url it gives you that hits a 500 ?
Hi Kevin,
Thanks for responding. Today pkgdb isn't giving a 500 error, oddly enough.
I fired up the HttpFox extension, and here's what is being loaded when
I enter the word "test" in the search bar.
(long CSRF string snipped)
GET https://admin.fedoraproject.org/pkgdb/acls/list/?_csrf_token=...?searchwords=*test*
The fact that there are two separate question marks in this URL looks
odd to me. The searchwords parameter should probably be prepended with
an ampersand to make this a valid URL. I looked at the OpenSearch
definition in my Firefox profile:
~/.mozilla/firefox/<snip>.default/searchplugins/fedora-pkgdb-packages.xml
To fix this, I just stripped out the csrf token parameter altogether.
The following now works for me:
<os:Url type="text/html" method="GET"
template="https://admin.fedoraproject.org/pkgdb/acls/list/?";>
Maybe you would be able to do a similar fix on the Fedora web servers,
to fix the definition there?
I'm a CSRF newbie, but it strikes me as odd that a static csrf token
string would be embedded into the OpenSearch definition itself:
https://admin.fedoraproject.org/pkgdb/opensearch/pkgdb_packages.xml .
Not only does it break the searches, but it seems like that defeats
the point of having hard-to-guess CSRF tokens.
--
websites mailing list
websites@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/websites
[Linux ARM]
[ARM Kernel]
[Older Fedora Users]
[Fedora Advisory Board]
[Fedora Security]
[Fedora Maintainers]
[Fedora Devel Java]
[Fedora Legacy]
[Fedora Desktop]
[iPod Nano]
[ATA RAID]
[Fedora Marketing]
[Fedora Mentors]
[Fedora Package Announce]
[Fedora Package Review]
[Fedora Music]
[Fedora Packaging]
[Centos]
[Fedora SELinux]
[Fedora Triage]
[Deep Creek Hot Springs]
[Coolkey]
[Yum Users]
[Tux]
[Yosemite News]
[Yosemite Photos]
[Linux Apps]
[KDE Users]
[Fedora Tools]
[Fedora Art]
[Fedora Docs]
[Asterisk PBX]
[Fedora Core 6 Unleashed]
