Fixing CSRF exploits in Infrastructure
Mike McGrath
mmcgrath at redhat.com
Mon Nov 24 21:12:28 UTC 2008
On Mon, 24 Nov 2008, Toshio Kuratomi wrote:
> Greetings all,
>
> I've been researching the CSRF exploit and how it affects our web apps
> recently. The short story is that our code is pretty open to this at
> the moment. I've written up a proposal for fixing this but it will
> require a lot of coding so I'd love to have some more eyes on it to make
> sure I'm not making any stupid mistakes.
>
> The proposal is here::
> https://fedorahosted.org/fas/wiki/CSRF
>
> The ticket for the overall CSRF fixing is here::
> https://fedorahosted.org/fedora-infrastructure/ticket/992
>
> I consider fixing this to be a fairly high priority so I'll be starting
> work on implementing this for a few pkgdb methods very soon. Assuming
> the technique works we'll need to port every method that can change data
> in every app to use this.
>
This is well reasoned and inciteful. After F10 ships I've got a couple of
things in the pipe to flush out but after that I'll work with you to get
the major issues fixed as quickly as possible.
-Mike
More information about the infrastructure
mailing list