moksha March 2009

moksha@lists.fedorahosted.org

5 participants
5 discussions

by Luke Macken

Hi everyone, Last night I did a lot of hacking on Moksha's CSRF middleware along with our repoze.who CSRF metadata provider. It seems to be working fine, but I would like a couple more people to review it before we can deem it as safe. Here is the code:: https://fedorahosted.org/moksha/browser/moksha/middleware/csrf.py Test cases:: https://fedorahosted.org/moksha/browser/moksha/tests/functional/test_csrf.py Output of test cases:: CSRFProtectionMiddleware(/) Clearing identity CSRFProtectionMiddleware(/moksha_admin/) Clearing identity CSRFProtectionMiddleware(/login) Clearing identity CSRFMetadataProvider.add_metadata(/login_handler) session cookie= None Invalid session cookie, not setting CSRF token! CSRFMetadataProvider.add_metadata(/post_login) session cookie= 'cabcb2bf43f60590aafbebbd8ff3430549bfba40manager!' Identity updated with CSRF token CSRFProtectionMiddleware(/post_login) Auth state... rewriting headers response.location = http://localhost/moksha_admin/?_csrf_token=4290e910c55274607ed54bf6a8df55... CSRFMetadataProvider.add_metadata(/moksha_admin/) session cookie= 'cabcb2bf43f60590aafbebbd8ff3430549bfba40manager!' Identity updated with CSRF token CSRFProtectionMiddleware(/moksha_admin/) csrf_token_id in GET User supplied CSRF token match environ! CSRFMetadataProvider.add_metadata(/moksha_admin/) session cookie= 'cabcb2bf43f60590aafbebbd8ff3430549bfba40manager!' Identity updated with CSRF token CSRFProtectionMiddleware(/moksha_admin/) csrf_token_id in POST User supplied CSRF token match environ! CSRFMetadataProvider.add_metadata(/moksha_admin/) session cookie= 'cabcb2bf43f60590aafbebbd8ff3430549bfba40manager!' Identity updated with CSRF token CSRFProtectionMiddleware(/moksha_admin/) Clearing identity Deleting repoze.who.identity from environ Deleting repoze.what.credentials from environ Invalid CSRF token. User supplied (None) doesn't match what's in our environ (4290e910c55274607ed54bf6a8df551387beeabb) Logging the user out CSRFProtectionMiddleware(/moksha_admin/) csrf_token_id in POST Clearing identity CSRFProtectionMiddleware(/) Clearing identity CSRFProtectionMiddleware(/moksha_admin/) Clearing identity CSRFProtectionMiddleware(/login) Clearing identity CSRFMetadataProvider.add_metadata(/login_handler) session cookie= '' Invalid session cookie, not setting CSRF token! CSRFMetadataProvider.add_metadata(/post_login) session cookie= '091657d7699155ff19603ea6a6440e7a49bfba41manager!' Identity updated with CSRF token CSRFProtectionMiddleware(/post_login) Auth state... rewriting headers response.location = http://localhost/moksha_admin/?_csrf_token=28aca41ba0510496c96b2523e9eece... CSRFMetadataProvider.add_metadata(/moksha_admin/) session cookie= '091657d7699155ff19603ea6a6440e7a49bfba41manager!' Identity updated with CSRF token CSRFProtectionMiddleware(/moksha_admin/) csrf_token_id in POST Clearing identity Deleting repoze.who.identity from environ Deleting repoze.what.credentials from environ Invalid CSRF token. User supplied (4290e910c55274607ed54bf6a8df551387beeabb ) doesn't match what's in our environ (28aca41ba0510496c96b2523e9eece524b4f369e) Logging the user out . ---------------------------------------------------------------------- Ran 1 test in 2.140s OK

15 years, 1 month

2
1
0 / 0

can't make meeting tomorrow

by Máirín Duffy

Hi, Just wanted to let you know that I can't make the meeting tomorrow... there's a usability test I'm helping out with. ~m

15 years, 2 months

1
0
0 / 0

Re: Please fix your bugs in release instead of rawhide!

by Tom Callaway

On 03/11/2009 12:04 PM, Adam Williamson wrote: > Well, I don't really see it that way. Here's my workflow - I come across > a link to an Ubuntu bug report (at launchpad.net), so I go and look at > it, and I see the stuff I like - right at the top I can see that it > exists in, say, Itchy, Scratchy and Dopey(*), as well as in the upstream > code (and I can immediately see the status of the upstream report). This > is the stuff that there's just no good way to do in Bugzilla. Believe > me, I've thought of about sixteen different ways to try and track the > same bug across multiple distribution releases in Bugzilla, and there > isn't any one which handles it as well as Launchpad does. So, the longer term plan is to enable workflows like this in the "Fedora Community" application (used to be called "MyFedora") with moksha. /* Look at our pretty mockups! https://fedoraproject.org/wiki/FedoraCommunity/Mockups */ It won't happen in the first iteration (coming soon!), but it is something that I think we want to target for the second milestone. We'll definitely be looking for feedback on some example workflows that people would like to be able to use in Fedora. ~spot

15 years, 2 months

2
2
0 / 0

myfedora repo now renamed to fedoracommunity

by John (J5) Palmieri

Trac[1], git[2] and the Wiki[3] have all been moved to a fedoracommunity namespace. The MyFedora name is now formally deprecated. Please report any issues related to this change. Some of the text still talks about MyFedora. We will be removing these references as time permits. To update your git repo either edit .git/config or do a fresh clone and pull your changes from you local myfedora repo (git pull <path to myfedora>) [1] https://fedorahosted.org/fedoracommunity [2] git://git.fedorahosted.org/git/fedoracomunity.git [3] https://fedoraproject.org/wiki/FedoraCommunity -- John (J5) Palmieri Software Engineer Red Hat, Inc.

15 years, 3 months

1
0
0 / 0

Monday AM meeting

by Tom Callaway

Due to snow, I'm going to be calling in to today's meeting. Anyone who would normally be expected to be in the office can feel free to do the same. ~spot

15 years, 3 months

1
0
0 / 0

← Newer
1
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

moksha March 2009