[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security Advisory Update (XSRF issues)

On Thu, Jan 28, 2010 at 10:03 AM, Luke <..hidden..> wrote:
On Thu, 28 Jan 2010, Chris Travers wrote:

For the record, I understood your point 3 as saying what he understood it
to be saying.

So what will actually happen, is that the form will be submitted, the user
will be re-authenticated, and the form will be represented sans posting,
at which point it could be resubmitted?

Broadly speaking, that is correct.

On 1.3, technically user reauthentication happens on every request (this is necessary so we can pass that through to the db).  However the issue here is that the form has to be authenticated as well as one sent from the server.  The form data is then moved from an invalid/misauthenticated form to a new and valid form, and a notice will be provided to the user why the form was not posted.

The user then just has to review the data and click post again.

For automated scripts, I expect to have a Perl script that can only be run from the command line which connects to the db, generates a form id, and echos that to standard output.

Hope this helps,
Chris Travers



The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
Ledger-smb-users mailing list