Project

General

Custom queries

Profile

Actions
Copy link

Bug #15843

open

Redirect to login page on CSRF error

Added by John Mitsch almost 9 years ago. Updated 9 months ago.

Status:
New
Priority:
Normal
Assignee:
John Mitsch
Category:
Security
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

To reproduce

1) Open two tabs in browser
2) Go to red hat repositories page on one and open to an enabled repository
3) On other tab logout
4) Go to RH repos tab and disable repo.
5) You should see a CSRF token error

This probably can be reproduced enabling a repo as well.

Ideally we would redirect to login page here.

2016-07-26 13:47:49 [app] [I] Started GET "/katello/products/130/available_repositories?content_id=2472&_=1469540849891" for 192.168.121.1 at 2016-07-26 13:47:49 +0000
2016-07-26 13:47:49 [app] [I] Processing by Katello::ProductsController#available_repositories as */*
2016-07-26 13:47:49 [app] [I]   Parameters: {"content_id"=>"2472", "_"=>"1469540849891", "id"=>"130"}
2016-07-26 13:47:56 [app] [I]   Rendered /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.0.0.68/app/views/katello/providers/redhat/_repos.html.erb (10.8ms)
2016-07-26 13:47:56 [app] [I] Completed 200 OK in 6985ms (Views: 11.5ms | ActiveRecord: 72.6ms)
2016-07-26 13:49:22 [foreman-tasks/dynflow] [I] start terminating throttle_limiter...
2016-07-26 13:49:22 [foreman-tasks/dynflow] [I] start terminating client dispatcher...
2016-07-26 13:49:22 [foreman-tasks/dynflow] [I] stop listening for new events...
2016-07-26 13:49:22 [foreman-tasks/dynflow] [I] start terminating clock...
2016-07-26 13:49:22 [foreman-tasks/dynflow] [I] start terminating throttle_limiter...
2016-07-26 13:49:22 [foreman-tasks/dynflow] [I] start terminating client dispatcher...
2016-07-26 13:49:22 [foreman-tasks/dynflow] [I] stop listening for new events...
2016-07-26 13:49:22 [foreman-tasks/dynflow] [I] start terminating clock...
2016-07-26 13:53:40 [app] [I] Started PUT "/katello/products/130/toggle_repository" for 192.168.121.1 at 2016-07-26 13:53:40 +0000
2016-07-26 13:53:40 [app] [I] Processing by Katello::ProductsController#toggle_repository as */*
2016-07-26 13:53:40 [app] [I]   Parameters: {"repo"=>"0", "pulp_id"=>"Default_Organization-Red_Hat_Enterprise_Linux_Server-Red_Hat_Enterprise_Linux_7_Server_-_RH_Common_RPMs_x86_64_7Server", "content_id"=>"2472", "releasever"=>"7Server", "basearch"=>"x86_64", "id"=>"130"}
2016-07-26 13:53:40 [app] [W] Can't verify CSRF token authenticity
2016-07-26 13:53:40 [app] [I] Completed 500 Internal Server Error in 5ms
2016-07-26 13:53:40 [app] [F] 
 | Foreman::Exception (ERF42-4995 [Foreman::Exception]: Invalid authenticity token):
 |   app/controllers/application_controller.rb:371:in `handle_unverified_request'
 |   lib/middleware/catch_json_parse_errors.rb:9:in `call'
 |
#1

Updated by John Mitsch almost 9 years ago

  • Subject changed from CSRF mismatch on disabling RH repository to CSRF error on disabling RH repository
#2

Updated by Justin Sherrill almost 9 years ago

  • Status changed from New to Rejected
  • Translation missing: en.field_release set to 166
#4

Updated by John Mitsch almost 9 years ago

  • Subject changed from CSRF error on disabling RH repository to Redirect to login page on CSRF error
#5

Updated by Justin Sherrill almost 9 years ago

  • Status changed from Rejected to New
  • Translation missing: en.field_release changed from 166 to 114
#6

Updated by Justin Sherrill almost 9 years ago

  • Assignee set to John Mitsch
#7

Updated by Ian Ballou 9 months ago

  • Target version deleted (Katello Backlog)
Actions
Copy link

Also available in: Atom PDF