Fixing CSRF exploits in Infrastructure
a.badger at gmail.com
Tue Nov 25 21:47:27 UTC 2008
John Palmieri wrote:
implementation, fedora.dojo.BaseClient.start_request(), that I've been
working on. However, not everyone wants to use dojo so people are
a standard library on which these things can be built :-(
Exactly :-) We are just fixing a hole that the same-origin policy
leaves open in the browser's security model. A non-browser origin is
virtually unaffected by this (it has to send more information but it has
access to all the necessary pieces to generate that information). Since
MyFedora is proxying the authentication tokens, it effectively becomes
the client for the other apps. So those apps have to trust that
MyFedora is doing the right thing and verifying the CSRF tokens that are
submitted to it. We humans, can audit the code of course :-)
> The only way to fix the man in the middle trust issue would be to have the client somehow sign the session hash, but even then, the client would have to register a public key on a server you trust.
There's several different trust issues wrapped up in the proxying server
case and the one that this would solve is the least of our worries :-).
It also isn't solvable while keeping the web pages fully accessible
(because code would have to execute on the client's machine in order to
sign the token).
> ----- "Toshio Kuratomi" <a.badger at gmail.com> wrote:
>> Greetings all,
>> I've been researching the CSRF exploit and how it affects our web
>> recently. The short story is that our code is pretty open to this at
>> the moment. I've written up a proposal for fixing this but it will
>> require a lot of coding so I'd love to have some more eyes on it to
>> sure I'm not making any stupid mistakes.
>> The proposal is here::
>> The ticket for the overall CSRF fixing is here::
>> I consider fixing this to be a fairly high priority so I'll be
>> work on implementing this for a few pkgdb methods very soon.
>> the technique works we'll need to port every method that can change
>> in every app to use this.
>> Fedora-infrastructure-list mailing list
>> Fedora-infrastructure-list at redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 197 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20081125/171535b1/attachment.bin
More information about the infrastructure