Fixing CSRF exploits in Infrastructure
Toshio Kuratomi
a.badger at gmail.com
Mon Nov 24 20:31:50 UTC 2008
Greetings all,
I've been researching the CSRF exploit and how it affects our web apps
recently. The short story is that our code is pretty open to this at
the moment. I've written up a proposal for fixing this but it will
require a lot of coding so I'd love to have some more eyes on it to make
sure I'm not making any stupid mistakes.
The proposal is here::
https://fedorahosted.org/fas/wiki/CSRF
The ticket for the overall CSRF fixing is here::
https://fedorahosted.org/fedora-infrastructure/ticket/992
I consider fixing this to be a fairly high priority so I'll be starting
work on implementing this for a few pkgdb methods very soon. Assuming
the technique works we'll need to port every method that can change data
in every app to use this.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20081124/e196cc38/attachment.bin
More information about the infrastructure
mailing list