On Mon, 24 Nov 2008, Toshio Kuratomi wrote: > Greetings all, > > I've been researching the CSRF exploit and how it affects our web apps > recently. The short story is that our code is pretty open to this at > the moment. I've written up a proposal for fixing this but it will > require a lot of coding so I'd love to have some more eyes on it to make > sure I'm not making any stupid mistakes. > > The proposal is here:: > https://fedorahosted.org/fas/wiki/CSRF > > The ticket for the overall CSRF fixing is here:: > https://fedorahosted.org/fedora-infrastructure/ticket/992 > > I consider fixing this to be a fairly high priority so I'll be starting > work on implementing this for a few pkgdb methods very soon. Assuming > the technique works we'll need to port every method that can change data > in every app to use this. > This is well reasoned and inciteful. After F10 ships I've got a couple of things in the pipe to flush out but after that I'll work with you to get the major issues fixed as quickly as possible. -Mike _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
