[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Fixing CSRF exploits in Infrastructure



Greetings all,

I've been researching the CSRF exploit and how it affects our web apps
recently.  The short story is that our code is pretty open to this at
the moment.  I've written up a proposal for fixing this but it will
require a lot of coding so I'd love to have some more eyes on it to make
sure I'm not making any stupid mistakes.

The proposal is here::
  https://fedorahosted.org/fas/wiki/CSRF

The ticket for the overall CSRF fixing is here::
  https://fedorahosted.org/fedora-infrastructure/ticket/992

I consider fixing this to be a fairly high priority so I'll be starting
work on implementing this for a few pkgdb methods very soon.  Assuming
the technique works we'll need to port every method that can change data
in every app to use this.

-Toshio

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]