Roundup Tracker - Issues


Author rouilj
Recipients rouilj
Date 2022-08-02.02:54:06
Message-id <>
As I was debugging my changes to add redis support for session and otks
databases, I noticed that the page does not request a CSRF token.

It also uses GET for it's submission mode.

This makes sense in most cases as it doesn't change any issue data. However
because we name the search and save it to the search list, it does modify data.

So this should have CSRF protection if the change is to be saved/committed.

I think this is a low priority. I am not sure how it could be used to do much
of anything other than mess with a user's searches. Using GET for searches (so we
can bookmark and share them) already provides the same exposure this does to issue
Date User Action Args
2022-08-02 02:54:07rouiljsetrecipients: + rouilj
2022-08-02 02:54:07rouiljsetmessageid: <>
2022-08-02 02:54:07rouiljlinkissue2551229 messages
2022-08-02 02:54:06rouiljcreate