Error registering at postgresql.org
I'm trying to register at postgresql.org so I can edit the wiki to fix a
broken link. I received a link on my e-mail so I could set my password,
but when I submit the "Change password" form I get an error:
Forbidden (403)
CSRF verification failed. Request aborted.
More information is available with DEBUG=True.
I've tried appending "?DEBUG=True" to the URL but got no further
information.
Can someone help?
Thanks,
Daniel Serodio
On Mon, Nov 5, 2012 at 4:21 PM, Daniel Serodio (lists) <
daniel.lists@mandic.com.br> wrote:
I'm trying to register at postgresql.org so I can edit the wiki to fix a
broken link. I received a link on my e-mail so I could set my password, but
when I submit the "Change password" form I get an error:Forbidden (403)
CSRF verification failed. Request aborted.
More information is available with DEBUG=True.I've tried appending "?DEBUG=True" to the URL but got no further
information.Can someone help?
(moving thread to pgsql-www where it belongs)
That seems like it would be the result of a patch I applied earlier today.
It does appear we need a better error message for this case.
Not entirely sure why it shows up though, since the form appears correct.
Are you by any chance blocking cookies for the domain? If I do that, I get
the same error...
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
On Mon, Nov 5, 2012 at 7:11 PM, Magnus Hagander <magnus@hagander.net> wrote:
That seems like it would be the result of a patch I applied earlier today.
It does appear we need a better error message for this case.
Maybe we should have a cookie test prior to the registration/login
form, so people are warned before they are asked to input any
information?
Not entirely sure why it shows up though, since the form appears correct.
Are you by any chance blocking cookies for the domain? If I do that, I get
the same error...
I tried signing up as testuser123 and for some reason it redirects me
back to insecure http:// from the secure address.
% wget https://www.postgresql.org/account/reset/XXXX/
--2012-11-05 19:32:35-- https://www.postgresql.org/account/reset/XXXX/
HTTP request sent, awaiting response... 302 Found
Location: http://www.postgresql.org/account/reset/XXXX/ [following]
--2012-11-05 19:32:36-- http://www.postgresql.org/account/reset/XXXX/
So it turns out that secure password reset was snake oil all along --
CSRF enforcement only made the problem obvious.
The cause is in pgweb.account.urls:
(r'^reset/$', 'account.views.resetpwd'),
^ has @ssl_required decorator
(r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$',
'django.contrib.auth.views.password_reset_confirm',
^ points directly to the Django view, which doesn't have @ssl_required
Regards,
Marti
On Mon, Nov 5, 2012 at 6:37 PM, Marti Raudsepp <marti@juffo.org> wrote:
On Mon, Nov 5, 2012 at 7:11 PM, Magnus Hagander <magnus@hagander.net>
wrote:That seems like it would be the result of a patch I applied earlier
today.
It does appear we need a better error message for this case.
Maybe we should have a cookie test prior to the registration/login
form, so people are warned before they are asked to input any
information?
That would probably not be a horrible idea. However, the first thing we
should do is to set up a better error message. There appears to be a
setting for it (CSRF_FAILURE_VIEW) already, so we should just define that
one.
Do you want to take a stab at that, or should I?
Not entirely sure why it shows up though, since the form appears correct.
Are you by any chance blocking cookies for the domain? If I do that, I
get
the same error...
I tried signing up as testuser123 and for some reason it redirects me
back to insecure http:// from the secure address.% wget https://www.postgresql.org/account/reset/XXXX/
--2012-11-05 19:32:35-- https://www.postgresql.org/account/reset/XXXX/
HTTP request sent, awaiting response... 302 Found
Location: http://www.postgresql.org/account/reset/XXXX/ [following]
--2012-11-05 19:32:36-- http://www.postgresql.org/account/reset/XXXX/So it turns out that secure password reset was snake oil all along --
CSRF enforcement only made the problem obvious.The cause is in pgweb.account.urls:
(r'^reset/$', 'account.views.resetpwd'),
^ has @ssl_required decorator(r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$',
'django.contrib.auth.views.password_reset_confirm',
^ points directly to the Django view, which doesn't have @ssl_required
Oh, cute. That's certainly broken.
I guess the proper way to deal with it is to define our own view that just
has the @ssl_required decorator and then calls the django default view
directly.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
On Mon, Nov 5, 2012 at 7:44 PM, Magnus Hagander <magnus@hagander.net> wrote:
I guess the proper way to deal with it is to define our own view that just
has the @ssl_required decorator and then calls the django default view
directly.
Here's an untested patch to do that.
Regards,
Marti
Attachments:
0001-Add-ssl_required-decorator-to-password-reset-related.patchapplication/octet-stream; name=0001-Add-ssl_required-decorator-to-password-reset-related.patchDownload+21-9
Magnus Hagander wrote:
On Mon, Nov 5, 2012 at 4:21 PM, Daniel Serodio (lists)
<daniel.lists@mandic.com.br <mailto:daniel.lists@mandic.com.br>> wrote:I'm trying to register at postgresql.org <http://postgresql.org>
so I can edit the wiki to fix a broken link. I received a link on
my e-mail so I could set my password, but when I submit the
"Change password" form I get an error:Forbidden (403)
CSRF verification failed. Request aborted.
More information is available with DEBUG=True.I've tried appending "?DEBUG=True" to the URL but got no further
information.Can someone help?
(moving thread to pgsql-www where it belongs)
That seems like it would be the result of a patch I applied earlier
today. It does appear we need a better error message for this case.Not entirely sure why it shows up though, since the form appears correct.
Are you by any chance blocking cookies for the domain? If I do that, I
get the same error...
No; after I got this error I opened a new (Chrome) Incognito window to
make sure no extension was interfering.
I double-checked now and the only cookies coming from www.postgresql.org
are __utma, __utmb, __utmc, __utmz and style.
Regards,
Daniel Serodio
On Mon, Nov 5, 2012 at 6:50 PM, Marti Raudsepp <marti@juffo.org> wrote:
On Mon, Nov 5, 2012 at 7:44 PM, Magnus Hagander <magnus@hagander.net>
wrote:I guess the proper way to deal with it is to define our own view that
just
has the @ssl_required decorator and then calls the django default view
directly.Here's an untested patch to do that.
I was already working on that part and have applied a very similar patch.
Let's hope we didn't both break it.
Forgot to credit you with figuring out the problem - sorry!
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
On Mon, Nov 5, 2012 at 7:20 PM, Magnus Hagander <magnus@hagander.net> wrote:
On Mon, Nov 5, 2012 at 6:50 PM, Marti Raudsepp <marti@juffo.org> wrote:
On Mon, Nov 5, 2012 at 7:44 PM, Magnus Hagander <magnus@hagander.net>
wrote:I guess the proper way to deal with it is to define our own view that
just
has the @ssl_required decorator and then calls the django default view
directly.Here's an untested patch to do that.
I was already working on that part and have applied a very similar patch.
Let's hope we didn't both break it.
Forgot to credit you with figuring out the problem - sorry!
Turns out we were both badly mistaken on how easy that fix was. I've
applied what I believe is a proper fix now, it certainly required anumber
of more arguments than we had in there in the first place.
Are you looking into the CSRF error message issue, or should I?
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
Magnus Hagander wrote:
On Mon, Nov 5, 2012 at 7:20 PM, Magnus Hagander <magnus@hagander.net
<mailto:magnus@hagander.net>> wrote:On Mon, Nov 5, 2012 at 6:50 PM, Marti Raudsepp <marti@juffo.org
<mailto:marti@juffo.org>> wrote:On Mon, Nov 5, 2012 at 7:44 PM, Magnus Hagander
<magnus@hagander.net <mailto:magnus@hagander.net>> wrote:I guess the proper way to deal with it is to define our own
view that just
has the @ssl_required decorator and then calls the django
default view
directly.
Here's an untested patch to do that.
I was already working on that part and have applied a very similar
patch. Let's hope we didn't both break it.Forgot to credit you with figuring out the problem - sorry!
Turns out we were both badly mistaken on how easy that fix was. I've
applied what I believe is a proper fix now, it certainly required
anumber of more arguments than we had in there in the first place.Are you looking into the CSRF error message issue, or should I?
Thanks, I've just reset my password with no errors.
Regards,
Daniel Serodio
On Mon, Nov 5, 2012 at 8:43 PM, Magnus Hagander <magnus@hagander.net> wrote:
Turns out we were both badly mistaken on how easy that fix was.
D'oh :)
Are you looking into the CSRF error message issue, or should I?
Go for it.
Regards,
Marti
On Mon, Nov 5, 2012 at 8:31 PM, Marti Raudsepp <marti@juffo.org> wrote:
On Mon, Nov 5, 2012 at 8:43 PM, Magnus Hagander <magnus@hagander.net> wrote:
Turns out we were both badly mistaken on how easy that fix was.
D'oh :)
Are you looking into the CSRF error message issue, or should I?
Go for it.
Done.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/