A few weeks ago, I noticed that the OpenSearch tool for pkgdb broke. I used to use this all the time in my Firefox search bar to search for Fedora packages by name. Now, it just gives a "500 Internal error" whenever I do a search.
The regular search still works, it's just OpenSearch that's broken.
- Ken
On Wed, 14 Mar 2012 18:38:22 -0600 Ken Dreyer ktdreyer@ktdreyer.com wrote:
A few weeks ago, I noticed that the OpenSearch tool for pkgdb broke. I used to use this all the time in my Firefox search bar to search for Fedora packages by name. Now, it just gives a "500 Internal error" whenever I do a search.
The regular search still works, it's just OpenSearch that's broken.
Can you give an example of a url it gives you that hits a 500 ?
kevin
On Fri, Mar 16, 2012 at 8:08 AM, Kevin Fenzi kevin@scrye.com wrote:
Can you give an example of a url it gives you that hits a 500 ?
Hi Kevin,
Thanks for responding. Today pkgdb isn't giving a 500 error, oddly enough.
I fired up the HttpFox extension, and here's what is being loaded when I enter the word "test" in the search bar.
(long CSRF string snipped) GET https://admin.fedoraproject.org/pkgdb/acls/list/?_csrf_token=...?searchwords...
The fact that there are two separate question marks in this URL looks odd to me. The searchwords parameter should probably be prepended with an ampersand to make this a valid URL. I looked at the OpenSearch definition in my Firefox profile:
~/.mozilla/firefox/<snip>.default/searchplugins/fedora-pkgdb-packages.xml
To fix this, I just stripped out the csrf token parameter altogether. The following now works for me:
<os:Url type="text/html" method="GET" template="https://admin.fedoraproject.org/pkgdb/acls/list/?%22%3E
Maybe you would be able to do a similar fix on the Fedora web servers, to fix the definition there?
I'm a CSRF newbie, but it strikes me as odd that a static csrf token string would be embedded into the OpenSearch definition itself: https://admin.fedoraproject.org/pkgdb/opensearch/pkgdb_packages.xml . Not only does it break the searches, but it seems like that defeats the point of having hard-to-guess CSRF tokens.
On Fri, 16 Mar 2012 09:23:19 -0600 Ken Dreyer ktdreyer@ktdreyer.com wrote:
On Fri, Mar 16, 2012 at 8:08 AM, Kevin Fenzi kevin@scrye.com wrote:
Can you give an example of a url it gives you that hits a 500 ?
Hi Kevin,
Thanks for responding. Today pkgdb isn't giving a 500 error, oddly enough.
I fired up the HttpFox extension, and here's what is being loaded when I enter the word "test" in the search bar.
(long CSRF string snipped) GET https://admin.fedoraproject.org/pkgdb/acls/list/?_csrf_token=...?searchwords...
The fact that there are two separate question marks in this URL looks odd to me. The searchwords parameter should probably be prepended with an ampersand to make this a valid URL. I looked at the OpenSearch definition in my Firefox profile:
~/.mozilla/firefox/<snip>.default/searchplugins/fedora-pkgdb-packages.xml
To fix this, I just stripped out the csrf token parameter altogether. The following now works for me:
<os:Url type="text/html" method="GET" template="https://admin.fedoraproject.org/pkgdb/acls/list/?%22%3E
Maybe you would be able to do a similar fix on the Fedora web servers, to fix the definition there?
It looks like this file is shipped as part of packagedb itself.
Would you be willing to file a bug there with the fix? https://fedorahosted.org/packagedb/newticket
If not, I can try and do so...
I'm a CSRF newbie, but it strikes me as odd that a static csrf token string would be embedded into the OpenSearch definition itself: https://admin.fedoraproject.org/pkgdb/opensearch/pkgdb_packages.xml . Not only does it break the searches, but it seems like that defeats the point of having hard-to-guess CSRF tokens.
Yeah, that seems wrong to me as well. It shouldn't need to be there at all.
kevin
On Mon, Mar 19, 2012 at 9:05 AM, Kevin Fenzi kevin@scrye.com wrote:
To fix this, I just stripped out the csrf token parameter altogether. The following now works for me:
<os:Url type="text/html" method="GET" template="https://admin.fedoraproject.org/pkgdb/acls/list/?%22%3E
Maybe you would be able to do a similar fix on the Fedora web servers, to fix the definition there?
It looks like this file is shipped as part of packagedb itself.
Would you be willing to file a bug there with the fix? https://fedorahosted.org/packagedb/newticket
Thanks. I finally found time to open a ticket, at https://fedorahosted.org/packagedb/ticket/233
- Ken
websites@lists.fedoraproject.org