[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fixing CSRF exploits in Infrastructure



On Mon, 24 Nov 2008, Toshio Kuratomi wrote:

> Greetings all,
>
> I've been researching the CSRF exploit and how it affects our web apps
> recently.  The short story is that our code is pretty open to this at
> the moment.  I've written up a proposal for fixing this but it will
> require a lot of coding so I'd love to have some more eyes on it to make
> sure I'm not making any stupid mistakes.
>
> The proposal is here::
>   https://fedorahosted.org/fas/wiki/CSRF
>
> The ticket for the overall CSRF fixing is here::
>   https://fedorahosted.org/fedora-infrastructure/ticket/992
>
> I consider fixing this to be a fairly high priority so I'll be starting
> work on implementing this for a few pkgdb methods very soon.  Assuming
> the technique works we'll need to port every method that can change data
> in every app to use this.
>

This is well reasoned and inciteful.  After F10 ships I've got a couple of
things in the pipe to flush out but after that I'll work with you to get
the major issues fixed as quickly as possible.

	-Mike


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]