[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Fixing CSRF exploits in Infrastructure

Greetings all,

I've been researching the CSRF exploit and how it affects our web apps
recently.  The short story is that our code is pretty open to this at
the moment.  I've written up a proposal for fixing this but it will
require a lot of coding so I'd love to have some more eyes on it to make
sure I'm not making any stupid mistakes.

The proposal is here::

The ticket for the overall CSRF fixing is here::

I consider fixing this to be a fairly high priority so I'll be starting
work on implementing this for a few pkgdb methods very soon.  Assuming
the technique works we'll need to port every method that can change data
in every app to use this.


Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]