Comment 4 for bug 1480329
Revision history for this message
| Aaron Wells (u-aaronw) wrote Re: CSRF bug | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
To replicate:
One way to replicate it is to create a form that will simulate a file upload. An easier way to check that the sesskey is being validated, though, is like this:
1. Log in to Mahara and go to "Content -> Files".
2. Using the Firefox (or Chrome) developer tools, open up a live view of the page's source code.
3. Find the hidden form variable with ID "files_sesskey".
4. Delete it, or change its value to "wrongsesskey".
5. Upload a file.
Expected result: The process should error out. Depending on how thorough the Javascript involved is, you may see this error message: "Invalid session key"
Actual result: The file upload finishes successfully