Thread: Re: [GENERAL] Error registering at postgresql.org
On Mon, Nov 5, 2012 at 4:21 PM, Daniel Serodio (lists) <daniel.lists@mandic.com.br> wrote:
I'm trying to register at postgresql.org so I can edit the wiki to fix a broken link. I received a link on my e-mail so I could set my password, but when I submit the "Change password" form I get an error:
Forbidden (403)
CSRF verification failed. Request aborted.
More information is available with DEBUG=True.
I've tried appending "?DEBUG=True" to the URL but got no further information.
Can someone help?
(moving thread to pgsql-www where it belongs)
That seems like it would be the result of a patch I applied earlier today. It does appear we need a better error message for this case.
Not entirely sure why it shows up though, since the form appears correct.
Are you by any chance blocking cookies for the domain? If I do that, I get the same error...
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
On Mon, Nov 5, 2012 at 7:11 PM, Magnus Hagander <magnus@hagander.net> wrote: > That seems like it would be the result of a patch I applied earlier today. > It does appear we need a better error message for this case. Maybe we should have a cookie test prior to the registration/login form, so people are warned before they are asked to input any information? > Not entirely sure why it shows up though, since the form appears correct. > Are you by any chance blocking cookies for the domain? If I do that, I get > the same error... I tried signing up as testuser123 and for some reason it redirects me back to insecure http:// from the secure address. % wget https://www.postgresql.org/account/reset/XXXX/ --2012-11-05 19:32:35-- https://www.postgresql.org/account/reset/XXXX/ HTTP request sent, awaiting response... 302 Found Location: http://www.postgresql.org/account/reset/XXXX/ [following] --2012-11-05 19:32:36-- http://www.postgresql.org/account/reset/XXXX/ So it turns out that secure password reset was snake oil all along -- CSRF enforcement only made the problem obvious. The cause is in pgweb.account.urls: (r'^reset/$', 'account.views.resetpwd'), ^ has @ssl_required decorator (r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$', 'django.contrib.auth.views.password_reset_confirm', ^ points directly to the Django view, which doesn't have @ssl_required Regards, Marti
On Mon, Nov 5, 2012 at 6:37 PM, Marti Raudsepp <marti@juffo.org> wrote:
On Mon, Nov 5, 2012 at 7:11 PM, Magnus Hagander <magnus@hagander.net> wrote:Maybe we should have a cookie test prior to the registration/login
> That seems like it would be the result of a patch I applied earlier today.
> It does appear we need a better error message for this case.
form, so people are warned before they are asked to input any
information?
That would probably not be a horrible idea. However, the first thing we should do is to set up a better error message. There appears to be a setting for it (CSRF_FAILURE_VIEW) already, so we should just define that one.
Do you want to take a stab at that, or should I?
> Not entirely sure why it shows up though, since the form appears correct.I tried signing up as testuser123 and for some reason it redirects me
> Are you by any chance blocking cookies for the domain? If I do that, I get
> the same error...
back to insecure http:// from the secure address.
% wget https://www.postgresql.org/account/reset/XXXX/
--2012-11-05 19:32:35-- https://www.postgresql.org/account/reset/XXXX/
HTTP request sent, awaiting response... 302 Found
Location: http://www.postgresql.org/account/reset/XXXX/ [following]
--2012-11-05 19:32:36-- http://www.postgresql.org/account/reset/XXXX/
So it turns out that secure password reset was snake oil all along --
CSRF enforcement only made the problem obvious.
The cause is in pgweb.account.urls:
(r'^reset/$', 'account.views.resetpwd'),
^ has @ssl_required decorator
(r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$',
'django.contrib.auth.views.password_reset_confirm',
^ points directly to the Django view, which doesn't have @ssl_required
Oh, cute. That's certainly broken.
I guess the proper way to deal with it is to define our own view that just has the @ssl_required decorator and then calls the django default view directly.
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
On Mon, Nov 5, 2012 at 7:44 PM, Magnus Hagander <magnus@hagander.net> wrote: > I guess the proper way to deal with it is to define our own view that just > has the @ssl_required decorator and then calls the django default view > directly. Here's an untested patch to do that. Regards, Marti
Attachment
Magnus Hagander wrote:
I double-checked now and the only cookies coming from www.postgresql.org are __utma, __utmb, __utmc, __utmz and style.
Regards,
Daniel Serodio
No; after I got this error I opened a new (Chrome) Incognito window to make sure no extension was interfering.On Mon, Nov 5, 2012 at 4:21 PM, Daniel Serodio (lists) <daniel.lists@mandic.com.br> wrote:I'm trying to register at postgresql.org so I can edit the wiki to fix a broken link. I received a link on my e-mail so I could set my password, but when I submit the "Change password" form I get an error:
Forbidden (403)
CSRF verification failed. Request aborted.
More information is available with DEBUG=True.
I've tried appending "?DEBUG=True" to the URL but got no further information.
Can someone help?(moving thread to pgsql-www where it belongs)That seems like it would be the result of a patch I applied earlier today. It does appear we need a better error message for this case.Not entirely sure why it shows up though, since the form appears correct.Are you by any chance blocking cookies for the domain? If I do that, I get the same error...
I double-checked now and the only cookies coming from www.postgresql.org are __utma, __utmb, __utmc, __utmz and style.
Regards,
Daniel Serodio
On Mon, Nov 5, 2012 at 6:50 PM, Marti Raudsepp <marti@juffo.org> wrote:
On Mon, Nov 5, 2012 at 7:44 PM, Magnus Hagander <magnus@hagander.net> wrote:Here's an untested patch to do that.
> I guess the proper way to deal with it is to define our own view that just
> has the @ssl_required decorator and then calls the django default view
> directly.
I was already working on that part and have applied a very similar patch. Let's hope we didn't both break it.
Forgot to credit you with figuring out the problem - sorry!
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
On Mon, Nov 5, 2012 at 7:20 PM, Magnus Hagander <magnus@hagander.net> wrote:
On Mon, Nov 5, 2012 at 6:50 PM, Marti Raudsepp <marti@juffo.org> wrote:On Mon, Nov 5, 2012 at 7:44 PM, Magnus Hagander <magnus@hagander.net> wrote:Here's an untested patch to do that.
> I guess the proper way to deal with it is to define our own view that just
> has the @ssl_required decorator and then calls the django default view
> directly.I was already working on that part and have applied a very similar patch. Let's hope we didn't both break it.Forgot to credit you with figuring out the problem - sorry!
Are you looking into the CSRF error message issue, or should I?
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
Magnus Hagander wrote:
Regards,
Daniel Serodio
Thanks, I've just reset my password with no errors.On Mon, Nov 5, 2012 at 7:20 PM, Magnus Hagander <magnus@hagander.net> wrote:On Mon, Nov 5, 2012 at 6:50 PM, Marti Raudsepp <marti@juffo.org> wrote:On Mon, Nov 5, 2012 at 7:44 PM, Magnus Hagander <magnus@hagander.net> wrote:Here's an untested patch to do that.
> I guess the proper way to deal with it is to define our own view that just
> has the @ssl_required decorator and then calls the django default view
> directly.I was already working on that part and have applied a very similar patch. Let's hope we didn't both break it.Forgot to credit you with figuring out the problem - sorry!Turns out we were both badly mistaken on how easy that fix was. I've applied what I believe is a proper fix now, it certainly required anumber of more arguments than we had in there in the first place.
Are you looking into the CSRF error message issue, or should I?
Regards,
Daniel Serodio
On Mon, Nov 5, 2012 at 8:43 PM, Magnus Hagander <magnus@hagander.net> wrote: > Turns out we were both badly mistaken on how easy that fix was. D'oh :) > Are you looking into the CSRF error message issue, or should I? Go for it. Regards, Marti
On Mon, Nov 5, 2012 at 8:31 PM, Marti Raudsepp <marti@juffo.org> wrote: > On Mon, Nov 5, 2012 at 8:43 PM, Magnus Hagander <magnus@hagander.net> wrote: >> Turns out we were both badly mistaken on how easy that fix was. > > D'oh :) > >> Are you looking into the CSRF error message issue, or should I? > > Go for it. Done. --Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/