Greetings all, I've been researching the CSRF exploit and how it affects our web apps recently. The short story is that our code is pretty open to this at the moment. I've written up a proposal for fixing this but it will require a lot of coding so I'd love to have some more eyes on it to make sure I'm not making any stupid mistakes. The proposal is here:: https://fedorahosted.org/fas/wiki/CSRF The ticket for the overall CSRF fixing is here:: https://fedorahosted.org/fedora-infrastructure/ticket/992 I consider fixing this to be a fairly high priority so I'll be starting work on implementing this for a few pkgdb methods very soon. Assuming the technique works we'll need to port every method that can change data in every app to use this. -Toshio
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
