Roundup Tracker - Issues

Message7628

Author rouilj
Recipients rouilj
Date 2022-08-02.02:54:06
Message-id <1659408847.08.0.073119275593.issue2551229@roundup.psfhosted.org>
In-reply-to 
As I was debugging my changes to add redis support for session and otks
databases, I noticed that the issue.search page does not request a CSRF token.

It also uses GET for it's submission mode.

This makes sense in most cases as it doesn't change any issue data. However
because we name the search and save it to the search list, it does modify data.

So this should have CSRF protection if the change is to be saved/committed.

I think this is a low priority. I am not sure how it could be used to do much
of anything other than mess with a user's searches. Using GET for searches (so we
can bookmark and share them) already provides the same exposure this does to issue
data.
History
Date User Action Args
2022-08-02 02:54:07rouiljsetrecipients: + rouilj
2022-08-02 02:54:07rouiljsetmessageid: <1659408847.08.0.073119275593.issue2551229@roundup.psfhosted.org>
2022-08-02 02:54:07rouiljlinkissue2551229 messages
2022-08-02 02:54:06rouiljcreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020