On Fri, Mar 16, 2012 at 8:08 AM, Kevin Fenzi <kevin(a)scrye.com> wrote:
Can you give an example of a url it gives you that hits a 500 ?
Thanks for responding. Today pkgdb isn't giving a 500 error, oddly enough.
I fired up the HttpFox extension, and here's what is being loaded when
I enter the word "test" in the search bar.
(long CSRF string snipped)
The fact that there are two separate question marks in this URL looks
odd to me. The searchwords parameter should probably be prepended with
an ampersand to make this a valid URL. I looked at the OpenSearch
definition in my Firefox profile:
To fix this, I just stripped out the csrf token parameter altogether.
The following now works for me:
<os:Url type="text/html" method="GET"
Maybe you would be able to do a similar fix on the Fedora web servers,
to fix the definition there?
I'm a CSRF newbie, but it strikes me as odd that a static csrf token
string would be embedded into the OpenSearch definition itself:
Not only does it break the searches, but it seems like that defeats
the point of having hard-to-guess CSRF tokens.