Fixing CSRF exploits in Infrastructure
Toshio Kuratomi
a.badger at gmail.com
Tue Nov 25 23:54:52 UTC 2008
Till Maas wrote:
> On Tue November 25 2008, Toshio Kuratomi wrote:
>> Till Maas wrote:
>
>>> It is recommended to not use GET requests to change state on the server,
>>> therefore it would be probably better to change these GET requests to
>>> POST requests.
>> The proposal doesn't specifically mention POST there as well but it
>> should to make things clearer:
>>
>> "Every time we submit a form or make a GET request that can change state
>> on the server"
>>
>> s/submit/POST/
>> /me changes that now.
>>
>> The reasons the proposal is explicit about GET are:
>>
>> 1) We'd have to constantly audit code for places where GET is being used
>> to alter state and change that. This is doable if the app authors are
>> aware of this but not so scalable if it's me going through and making
>> those changes.
>
> Now I am confused. Do you want to require the token for every request of an
> authenticated user then, regardless of whether or not they can change state
> on the server?
>
To be easy to code, require the token for every request of an
authenticated user.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20081125/c440b8c9/attachment.bin
More information about the infrastructure
mailing list