Libravatar (obsolete)

Provide a way for sites to pre-fill the openid login form

Bug #1706984 reported by François Marier on 2017-07-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Libravatar (obsolete)	Fix Released	Medium	François Marier

Bug Description

Fedora Badges (https://badges.fedoraproject.org/user/fmarier) currently has a "Change avatar" button that uses this code:

which fails with a CSRF error message:

Forbidden (403)

CSRF verification failed. Request aborted.

because the CSRF token is missing from that request.

While we can't open this up completely, since that would enable login fixation, we could add a parameter on the OpenID login page to pre-fill the address in that form.

See original description

Tags:

Revision history for this message

François Marier (fmarier) wrote on 2017-07-27:

The easiest fix is probably to use "openid_identifier" for the parameter name and then change the Fedora Badges to a GET form action.

Patches can be sent here: https://github.com/fedora-infra/tahrir

Revision history for this message

François Marier (fmarier) wrote on 2017-07-27:

Clicking on the avatar logo from https://apps.fedoraproject.org/notifications/fmarier.id.fedoraproject.org/ also uses the same form code.

The source code for this app is here: https://github.com/fedora-infra/fmn

description:

updated

François Marier (fmarier) on 2017-07-27

Changed in libravatar:
status:	Confirmed → Fix Released

Revision history for this message

François Marier (fmarier) wrote on 2017-07-27:

Patches submitted for the two Fedora sites:

https://github.com/fedora-infra/tahrir/pull/368
https://github.com/fedora-infra/fmn/pull/214

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.