Fixing CSRF exploits in Infrastructure

John Palmieri johnp at
Tue Nov 25 21:18:22 UTC 2008

I've read the document and it is pretty well thought out.  A couple of comments - for the JavaScript parts wouldn't that be better to setup as an included file which also pulls in a JS library?  Just so people aren't copying and pasting?  That way you will also be able to extend the functionality if need be and app developers would have to worry about one line of code instead of 10.

As for myfedora this is pretty straight forward as we can use the middleware layer to inject the javascript variables and do the hashing and double authentication.  Most of our modification requests will be going over json so a javascript layer would work there too.  We can then simply have our proxies pass the hash onto the ProxyClients.  It is still a chain of trust where you trust our servers have implemented the protocol correctly and we aren't just hashing the cookie when it has to pass it to the proxy client.

The only way to fix the man in the middle trust issue would be to have the client somehow sign the session hash, but even then, the client would have to register a public key on a server you trust.  

----- "Toshio Kuratomi" <a.badger at> wrote:

> Greetings all,
> I've been researching the CSRF exploit and how it affects our web
> apps
> recently.  The short story is that our code is pretty open to this at
> the moment.  I've written up a proposal for fixing this but it will
> require a lot of coding so I'd love to have some more eyes on it to
> make
> sure I'm not making any stupid mistakes.
> The proposal is here::
> The ticket for the overall CSRF fixing is here::
> I consider fixing this to be a fairly high priority so I'll be
> starting
> work on implementing this for a few pkgdb methods very soon. 
> Assuming
> the technique works we'll need to port every method that can change
> data
> in every app to use this.
> -Toshio
> _______________________________________________
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list at

John (J5) Palmieri
Software Engineer
Red Hat, Inc.

More information about the infrastructure mailing list