On Mon, Jul 29, 2013 at 4:03 PM, Warren Young <war...@etr-usa.com> wrote:
> On 7/28/2013 13:47, Marc Simpson wrote:
>>
>>
>> Output: "Cross-site request forgery attempt".
>
>
> That's a browser-specific feature, not something Fossil does. It may
> be that Fossil could work differently to avoid triggering this browser
> security feature, but ultimately it's a false positive.
Please, don't mislead other people. CSRF is a Web vulnerability that
Browsers can't prevent yet. So it is normally handled on the server
side. Check Fossil's sources (src/login.c):
/*
** Before using the results of a form, first call this routine to verify
** that this Anti-CSRF token is present and is valid. If the
Anti-CSRF token
** is missing or is incorrect, that indicates a cross-site scripting attach
** so emits an error message and abort.
*/
void login_verify_csrf_secret(void){
if( g.okCsrf ) return;
if( fossil_strcmp(P("csrf"), g.zCsrfToken)==0 ){
g.okCsrf = 1;
return;
}
fossil_fatal("Cross-site request forgery attempt");
}
Regards.
--
Isaac Jurado
"The noblest pleasure is the joy of understanding"
Leonardo da Vinci
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
