Logout page vulnerable to CSRF
Bug #1298790 reported by
Julian Edwards
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Fix Released
|
High
|
Raphaël Badin | ||
1.2 |
Fix Released
|
High
|
Raphaël Badin | ||
1.5 |
Fix Released
|
High
|
Raphaël Badin |
Bug Description
The logout page can be accessed by browsing to /MAAS/accounts/
against cross-site request forgery attacks, so remote attackers may be able to cause annoyance by
forcing users to log out of the application.
Related branches
lp:~rvb/maas/1.5-bug-1298790
- MAAS Maintainers: Pending requested
-
Diff: 116 lines (+70/-3)3 files modifiedsrc/maasserver/templates/maasserver/logout_confirm.html (+21/-0)
src/maasserver/views/account.py (+24/-2)
src/maasserver/views/tests/test_account.py (+25/-1)
lp:~rvb/maas/logout-fix-1.2
- Julian Edwards (community): Approve
-
Diff: 122 lines (+70/-4)3 files modifiedsrc/maasserver/templates/maasserver/logout_confirm.html (+21/-0)
src/maasserver/tests/test_views_account.py (+25/-2)
src/maasserver/views/account.py (+24/-2)
Changed in maas: | |
assignee: | nobody → Raphaël Badin (rvb) |
status: | Triaged → In Progress |
Changed in maas: | |
status: | In Progress → Fix Committed |
Changed in maas: | |
milestone: | none → 14.04 |
milestone: | 14.04 → 14.10 |
Changed in maas: | |
status: | Fix Committed → Fix Released |
milestone: | 14.10 → none |
information type: | Private Security → Public Security |
To post a comment you must log in.