pkgdb opensearch
Kevin Fenzi
kevin at scrye.com
Mon Mar 19 15:05:29 UTC 2012
On Fri, 16 Mar 2012 09:23:19 -0600
Ken Dreyer <ktdreyer at ktdreyer.com> wrote:
> On Fri, Mar 16, 2012 at 8:08 AM, Kevin Fenzi <kevin at scrye.com> wrote:
> > Can you give an example of a url it gives you that hits a 500 ?
>
> Hi Kevin,
>
> Thanks for responding. Today pkgdb isn't giving a 500 error, oddly
> enough.
>
> I fired up the HttpFox extension, and here's what is being loaded when
> I enter the word "test" in the search bar.
>
> (long CSRF string snipped)
> GET
> https://admin.fedoraproject.org/pkgdb/acls/list/?_csrf_token=...?searchwords=*test*
>
> The fact that there are two separate question marks in this URL looks
> odd to me. The searchwords parameter should probably be prepended with
> an ampersand to make this a valid URL. I looked at the OpenSearch
> definition in my Firefox profile:
>
> ~/.mozilla/firefox/<snip>.default/searchplugins/fedora-pkgdb-packages.xml
>
> To fix this, I just stripped out the csrf token parameter altogether.
> The following now works for me:
>
> <os:Url type="text/html" method="GET"
> template="https://admin.fedoraproject.org/pkgdb/acls/list/?">
>
> Maybe you would be able to do a similar fix on the Fedora web servers,
> to fix the definition there?
It looks like this file is shipped as part of packagedb itself.
Would you be willing to file a bug there with the fix?
https://fedorahosted.org/packagedb/newticket
If not, I can try and do so...
> I'm a CSRF newbie, but it strikes me as odd that a static csrf token
> string would be embedded into the OpenSearch definition itself:
> https://admin.fedoraproject.org/pkgdb/opensearch/pkgdb_packages.xml .
> Not only does it break the searches, but it seems like that defeats
> the point of having hard-to-guess CSRF tokens.
Yeah, that seems wrong to me as well. It shouldn't need to be there at
all.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/websites/attachments/20120319/587fe2ee/attachment.sig>
More information about the websites
mailing list