Fixing CSRF exploits in Infrastructure

Toshio Kuratomi a.badger at
Mon Nov 24 20:31:50 UTC 2008

Greetings all,

I've been researching the CSRF exploit and how it affects our web apps
recently.  The short story is that our code is pretty open to this at
the moment.  I've written up a proposal for fixing this but it will
require a lot of coding so I'd love to have some more eyes on it to make
sure I'm not making any stupid mistakes.

The proposal is here::

The ticket for the overall CSRF fixing is here::

I consider fixing this to be a fairly high priority so I'll be starting
work on implementing this for a few pkgdb methods very soon.  Assuming
the technique works we'll need to port every method that can change data
in every app to use this.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url : 

More information about the infrastructure mailing list