Fixing CSRF exploits in Infrastructure

Mike McGrath mmcgrath at
Mon Nov 24 21:12:28 UTC 2008

On Mon, 24 Nov 2008, Toshio Kuratomi wrote:

> Greetings all,
> I've been researching the CSRF exploit and how it affects our web apps
> recently.  The short story is that our code is pretty open to this at
> the moment.  I've written up a proposal for fixing this but it will
> require a lot of coding so I'd love to have some more eyes on it to make
> sure I'm not making any stupid mistakes.
> The proposal is here::
> The ticket for the overall CSRF fixing is here::
> I consider fixing this to be a fairly high priority so I'll be starting
> work on implementing this for a few pkgdb methods very soon.  Assuming
> the technique works we'll need to port every method that can change data
> in every app to use this.

This is well reasoned and inciteful.  After F10 ships I've got a couple of
things in the pipe to flush out but after that I'll work with you to get
the major issues fixed as quickly as possible.


More information about the infrastructure mailing list