checkbox should send a referer header when it POSTs data to Launchpad.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Checkbox |
Fix Released
|
Undecided
|
Marc Tardif | ||
Launchpad itself |
Invalid
|
Undecided
|
Abel Deuring | ||
checkbox (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The impact of this bug is adheres to an inconsistent interface in Launchpad. The proposed fix adds the REFERER information to the HTTP header which is consistent with all the other Launchpad interfaces. A workaround is currently provided in Launchpad but it would be nice to have this bug fixed in an LTS release so that Launchpad can eventually remove this workaround safely.
Since ca. 2010-3-24, Launchpad requires a referer header for all POST requests, see bug 529348 . We will exempt the /+hwdb/+submit URL for now from this requirement, but in order to prevent future CRSF problems, checkbox should send a referer header.
From #launchpad-dev, 2010-03-29:
(17:39:38) gary_poster: adeuring: so...actually, I also suggest that they change their script now to include a REFERER. That way eventually legacy clients will "just work," and sooner than if they wait to be able to do whatever it is they need to do through the webservice API
(17:40:53) adeuring: gary_poster: yes, checkbox should do that. But it is installed by default on every Ubuntu system, and getting rid of old version will ned quite some time...
(17:41:38) gary_poster: adeuring: ack, so let's get started ;-) getting the change into lucid would be a *big* win in that regard
Related branches
- Gary Poster (community): Approve
- Deryck Hodge (community): Approve (code)
-
Diff: 16 lines (+6/-0)1 file modifiedlib/canonical/launchpad/webapp/publication.py (+6/-0)
- Mathias Gug: Needs Fixing
-
Diff: 822 lines (+253/-247)20 files modifiedbackend (+12/-3)
checkbox/job.py (+1/-1)
checkbox/resource.py (+3/-2)
checkbox/user_interface.py (+7/-2)
debian/changelog (+17/-0)
debian/control (+1/-0)
jobs/disk.txt.in (+1/-2)
jobs/local.txt.in (+1/-1)
jobs/resource.txt.in (+1/-0)
plugins/backend_info.py (+15/-17)
plugins/begin_prompt.py (+33/-0)
plugins/launchpad_exchange.py (+2/-1)
plugins/persist_info.py (+2/-2)
po/checkbox.pot (+10/-10)
scripts/ansi_parser (+2/-1)
scripts/device_list (+0/-168)
scripts/disk_test (+0/-33)
scripts/run_templates (+142/-0)
scripts/suspend_test (+2/-3)
scripts/udev_resource (+1/-1)
- Stéphane Graber: Approve
-
Diff: 807 lines (+250/-246)19 files modifiedbackend (+12/-3)
checkbox/job.py (+1/-1)
checkbox/resource.py (+3/-2)
checkbox/user_interface.py (+7/-2)
debian/changelog (+16/-0)
debian/control (+1/-0)
jobs/disk.txt.in (+1/-2)
jobs/local.txt.in (+1/-1)
jobs/resource.txt.in (+1/-0)
plugins/backend_info.py (+15/-17)
plugins/begin_prompt.py (+33/-0)
plugins/launchpad_exchange.py (+2/-1)
plugins/persist_info.py (+2/-2)
po/checkbox.pot (+10/-10)
scripts/device_list (+0/-168)
scripts/disk_test (+0/-33)
scripts/run_templates (+142/-0)
scripts/suspend_test (+2/-3)
scripts/udev_resource (+1/-1)
Changed in launchpad: | |
assignee: | nobody → Abel Deuring (adeuring) |
Changed in checkbox: | |
assignee: | nobody → Marc Tardif (cr3) |
status: | New → In Progress |
affects: | launchpad → launchpad-foundations |
Changed in launchpad-foundations: | |
status: | New → Invalid |
Changed in malone: | |
assignee: | nobody → Abel Deuring (adeuring) |
Changed in malone: | |
status: | New → In Progress |
importance: | Undecided → High |
Changed in checkbox: | |
status: | In Progress → Fix Committed |
Changed in checkbox (Ubuntu): | |
milestone: | none → lucid-updates |
status: | New → In Progress |
milestone: | lucid-updates → none |
Changed in checkbox (Ubuntu Lucid): | |
status: | New → In Progress |
Changed in checkbox (Ubuntu Lucid): | |
milestone: | none → lucid-updates |
Changed in checkbox: | |
status: | Fix Committed → Fix Released |
Changed in checkbox (Ubuntu): | |
status: | In Progress → Fix Released |
description: | updated |
Changed in malone: | |
status: | Fix Committed → Fix Released |
I talked with Marc and remembered what the hwdb app actually is--that is, a completely separate application that basically happens to co-habitate with the Launchpad codebase and database, but is not exposed through the Launchpad browser interface or launchpadlib.
In that light, whether a REFERER header is required is more of a question for the specs, if they exist, of what the hwdb API is. It's probably a reasonable assertion that a REFERER header doesn't belong in them.
My new, new, new recommendation is that we make sure that the specs for the hwdb are clearly stated and well-tested in Launchpad, whatever they are. They probably are already tested, Launchpad generally being pretty well tested; perhaps Zope bug 98437 (which we work around in the new tests) caused the test to appear falsely sufficient in this regard.
If the hwdb specs indicate that the REFERER header should not be required, then we should also add that comment to the pertinent code (lib/canonical/ launchpad/ webapp/ publication. py LaunchpadBrowse rPublication. maybeBlockOffsi teFormPost) .