On Fri, 16 Mar 2012 09:23:19 -0600 Ken Dreyer <ktdreyer@xxxxxxxxxxxx> wrote: > On Fri, Mar 16, 2012 at 8:08 AM, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > > Can you give an example of a url it gives you that hits a 500 ? > > Hi Kevin, > > Thanks for responding. Today pkgdb isn't giving a 500 error, oddly > enough. > > I fired up the HttpFox extension, and here's what is being loaded when > I enter the word "test" in the search bar. > > (long CSRF string snipped) > GET > https://admin.fedoraproject.org/pkgdb/acls/list/?_csrf_token=...?searchwords=*test* > > The fact that there are two separate question marks in this URL looks > odd to me. The searchwords parameter should probably be prepended with > an ampersand to make this a valid URL. I looked at the OpenSearch > definition in my Firefox profile: > > ~/.mozilla/firefox/<snip>.default/searchplugins/fedora-pkgdb-packages.xml > > To fix this, I just stripped out the csrf token parameter altogether. > The following now works for me: > > <os:Url type="text/html" method="GET" > template="https://admin.fedoraproject.org/pkgdb/acls/list/?";> > > Maybe you would be able to do a similar fix on the Fedora web servers, > to fix the definition there? It looks like this file is shipped as part of packagedb itself. Would you be willing to file a bug there with the fix? https://fedorahosted.org/packagedb/newticket If not, I can try and do so... > I'm a CSRF newbie, but it strikes me as odd that a static csrf token > string would be embedded into the OpenSearch definition itself: > https://admin.fedoraproject.org/pkgdb/opensearch/pkgdb_packages.xml . > Not only does it break the searches, but it seems like that defeats > the point of having hard-to-guess CSRF tokens. Yeah, that seems wrong to me as well. It shouldn't need to be there at all. kevin
Attachment:
signature.asc
Description: PGP signature
-- websites mailing list websites@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/websites
