cross site request forgery issue in tasks [#1117296]

mr.baileys had spotted a CSRF vulnerability in the task manager some time ago, that we fixed.

Unfortunately, this broke mass migration: #1111532: Mass Migrate fails in Aegir 1.0 RC3. I consider the latter more important than the CSRF, because all the CSRF can do is fire up tasks that can be rolled back. It also requires the user to visit a malicious site while being logged into Aegir.

I am therefore opening this issue so that the CSRF eventually gets fixed, the proper way.

Comments

Comment #1

anarcat commented 5 April 2011 at 19:23

Here is the revert commit: http://drupalcode.org/project/hostmaster.git/commitdiff/c6a8406b7010ea96...

Comment #2

anarcat commented 5 April 2011 at 20:25

Status:

Active

» Fixed

alright, i have done a more proper fix by re-importing mr.baileys patch and then doing the CSRF check only on non-interactive tasks.

Comment #3

19 April 2011 at 20:31

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

cross site request forgery issue in tasks

Comments

Comment #1

Comment #2

Comment #3

News items

Our community

Documentation

Drupal code base

Governance of community