On Mon, Nov 5, 2012 at 7:11 PM, Magnus Hagander <magnus@hagander.net> wrote:
> That seems like it would be the result of a patch I applied earlier today.
> It does appear we need a better error message for this case.
Maybe we should have a cookie test prior to the registration/login
form, so people are warned before they are asked to input any
information?
> Not entirely sure why it shows up though, since the form appears correct.
> Are you by any chance blocking cookies for the domain? If I do that, I get
> the same error...
I tried signing up as testuser123 and for some reason it redirects me
back to insecure http:// from the secure address.
% wget https://www.postgresql.org/account/reset/XXXX/
--2012-11-05 19:32:35-- https://www.postgresql.org/account/reset/XXXX/
HTTP request sent, awaiting response... 302 Found
Location: http://www.postgresql.org/account/reset/XXXX/ [following]
--2012-11-05 19:32:36-- http://www.postgresql.org/account/reset/XXXX/
So it turns out that secure password reset was snake oil all along --
CSRF enforcement only made the problem obvious.
The cause is in pgweb.account.urls:
(r'^reset/$', 'account.views.resetpwd'),
^ has @ssl_required decorator
(r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$',
'django.contrib.auth.views.password_reset_confirm',
^ points directly to the Django view, which doesn't have @ssl_required
Regards,
Marti
