Quick Links

Re: [GENERAL] Error registering at postgresql.org

From:	Magnus Hagander <magnus(at)hagander(dot)net>
To:	Marti Raudsepp <marti(at)juffo(dot)org>
Cc:	"Daniel Serodio (lists)" <daniel(dot)lists(at)mandic(dot)com(dot)br>, PostgreSQL WWW <pgsql-www(at)postgresql(dot)org>
Subject:	Re: [GENERAL] Error registering at postgresql.org
Date:	2012-11-05 17:44:14
Message-ID:	CABUevExgwjPo8eYy0AL0NiqbVoE9jN2rBNN_ZU_GQJ3-3WfXPw@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general pgsql-www

On Mon, Nov 5, 2012 at 6:37 PM, Marti Raudsepp <marti(at)juffo(dot)org> wrote:

> On Mon, Nov 5, 2012 at 7:11 PM, Magnus Hagander <magnus(at)hagander(dot)net>
> wrote:
> > That seems like it would be the result of a patch I applied earlier
> today.
> > It does appear we need a better error message for this case.
>
> Maybe we should have a cookie test prior to the registration/login
> form, so people are warned before they are asked to input any
> information?
>

That would probably not be a horrible idea. However, the first thing we
should do is to set up a better error message. There appears to be a
setting for it (CSRF_FAILURE_VIEW) already, so we should just define that
one.

Do you want to take a stab at that, or should I?

> Not entirely sure why it shows up though, since the form appears correct.
> > Are you by any chance blocking cookies for the domain? If I do that, I
> get
> > the same error...
>
> I tried signing up as testuser123 and for some reason it redirects me
> back to insecure http:// from the secure address.
>
> % wget https://www.postgresql.org/account/reset/XXXX/
> --2012-11-05 19:32:35-- https://www.postgresql.org/account/reset/XXXX/
> HTTP request sent, awaiting response... 302 Found
> Location: http://www.postgresql.org/account/reset/XXXX/ [following]
> --2012-11-05 19:32:36-- http://www.postgresql.org/account/reset/XXXX/
>
> So it turns out that secure password reset was snake oil all along --
> CSRF enforcement only made the problem obvious.
>
> The cause is in pgweb.account.urls:
>
> (r'^reset/$', 'account.views.resetpwd'),
> ^ has @ssl_required decorator
>
> (r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$',
> 'django.contrib.auth.views.password_reset_confirm',
> ^ points directly to the Django view, which doesn't have @ssl_required
>
>
Oh, cute. That's certainly broken.

I guess the proper way to deal with it is to define our own view that just
has the @ssl_required decorator and then calls the django default view
directly.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

In response to

Re: [GENERAL] Error registering at postgresql.org at 2012-11-05 17:37:29 from Marti Raudsepp

Responses

Re: [GENERAL] Error registering at postgresql.org at 2012-11-05 17:50:40 from Marti Raudsepp

Browse pgsql-general by date

	From	Date	Subject
Next Message	Marti Raudsepp	2012-11-05 17:50:40	Re: [GENERAL] Error registering at postgresql.org
Previous Message	Marti Raudsepp	2012-11-05 17:37:29	Re: [GENERAL] Error registering at postgresql.org

Browse pgsql-www by date

	From	Date	Subject
Next Message	Marti Raudsepp	2012-11-05 17:50:40	Re: [GENERAL] Error registering at postgresql.org
Previous Message	Marti Raudsepp	2012-11-05 17:37:29	Re: [GENERAL] Error registering at postgresql.org