FS#19771 - {archweb} CSRF verification failed when logging in to the dev website.
Attached to Project:
Arch Linux
Opened by Chris Brannon (cmb) - Friday, 11 June 2010, 19:59 GMT
Last edited by Dan McGee (toofishes) - Monday, 21 June 2010, 00:41 GMT
Opened by Chris Brannon (cmb) - Friday, 11 June 2010, 19:59 GMT
Last edited by Dan McGee (toofishes) - Monday, 21 June 2010, 00:41 GMT
|
Details
Description:
When I try to log in to my account on www.archlinux.org, I get a 403 HTTP response, along with a message saying that CSRF verification failed. Additional info: * package version(s) * config and/or log files etc. Steps to reproduce: |
This task depends upon
Closed by Dan McGee (toofishes)
Monday, 21 June 2010, 00:41 GMT
Reason for closing: Works for me
Additional comments about closing: Referer header is required now.
Monday, 21 June 2010, 00:41 GMT
Reason for closing: Works for me
Additional comments about closing: Referer header is required now.
http://www.archlinux.org/login.
I'm a TU. The username on that account is cbrannon.
lynx, and I got the same result. Those are the only browsers I have on
this machine. Maybe it's time for me to get a new browser.
if request.is_secure():
# Strict referer checking for HTTPS
referer = request.META.get('HTTP_REFERER')
if referer is None:
return reject("Referer checking failed - no Referer.")
# The following check ensures that the referer is HTTPS,
# the domains match and the ports match. This might be too strict.
good_referer = 'https://%s/' % request.get_host()
if not referer.startswith(good_referer):
return reject("Referer checking failed - %s does not match %s." %
(referer, good_referer))
We're hitting the first case ("Referer checking failed - no Referer."), so it looks like a lot of the text mode browsers don't submit that Referer field when posting.
that I'm using.
I can turn it on, if need be.
Thanks!