FS#19771 - {archweb} CSRF verification failed when logging in to the dev website.

Attached to Project: Arch Linux
Opened by Chris Brannon (cmb) - Friday, 11 June 2010, 19:59 GMT
Last edited by Dan McGee (toofishes) - Monday, 21 June 2010, 00:41 GMT
Task Type Bug Report
Category Web Sites
Status Closed
Assigned To Dan McGee (toofishes)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
When I try to log in to my account on www.archlinux.org, I get
a 403 HTTP response, along with a message saying that
CSRF verification failed.


Additional info:
* package version(s)
* config and/or log files etc.


Steps to reproduce:
This task depends upon

Closed by  Dan McGee (toofishes)
Monday, 21 June 2010, 00:41 GMT
Reason for closing:  Works for me
Additional comments about closing:  Referer header is required now.
Comment by Thomas Dziedzic (tomd123) - Friday, 11 June 2010, 20:15 GMT
Which account, wiki? forums? aur??? be more specific since I haven't noticed any problems.
Comment by Chris Brannon (cmb) - Friday, 11 June 2010, 20:20 GMT
Sorry, I meant the account reachable from
http://www.archlinux.org/login.
I'm a TU. The username on that account is cbrannon.
Comment by Dan McGee (toofishes) - Friday, 11 June 2010, 21:43 GMT
What are you using to log in, Chris? There is a hidden form field that must be included when submitting that form now that wasn't there before. I have no problems logging in, but I would make sure you are submitting all of the necessary form fields.
Comment by Chris Brannon (cmb) - Friday, 11 June 2010, 22:09 GMT
I'm using a text-mode web browser called edbrowse. I also tried with
lynx, and I got the same result. Those are the only browsers I have on
this machine. Maybe it's time for me to get a new browser.
Comment by Dan McGee (toofishes) - Friday, 11 June 2010, 22:41 GMT
OK, figured out some of this and why I haven't been able to reproduce it locally. From /usr/lib/python2.6/site-packages/django/middleware/csrf.py:

if request.is_secure():
# Strict referer checking for HTTPS
referer = request.META.get('HTTP_REFERER')
if referer is None:
return reject("Referer checking failed - no Referer.")

# The following check ensures that the referer is HTTPS,
# the domains match and the ports match. This might be too strict.
good_referer = 'https://%s/' % request.get_host()
if not referer.startswith(good_referer):
return reject("Referer checking failed - %s does not match %s." %
(referer, good_referer))


We're hitting the first case ("Referer checking failed - no Referer."), so it looks like a lot of the text mode browsers don't submit that Referer field when posting.
Comment by Chris Brannon (cmb) - Friday, 11 June 2010, 22:58 GMT
This is configurable. It's off by default in the two text-mode browsers
that I'm using.
I can turn it on, if need be.

Thanks!

Loading...