476884 - "Suspicious Action" when I try to mass-change bugs

Status: RESOLVED DUPLICATE of bug 476943

(Bugzilla :: Creating/Changing Bugs, defect)

Description

[Wil Clouser [:clouserw]]

Just started getting this after the last upgrade.  To reproduce:

1) Do a quicksearch for 2 or more bugs
2) Click "Change several bugs at once"
3) select all the checkboxes, add someone to the CC list, click commit
4) Get this Message:
-----------------------------------------------------
It looks like you didn't come from the right page (you have no valid token for the buglist_mass_change action while processing the 'process_bug.cgi' script). The reason could be one of:

* You clicked the "Back" button of your web browser after having successfully submitted changes, which is generally not a good idea (but harmless).
* You entered the URL in the address bar of your web browser directly, which should be safe.
* You clicked on a URL which redirected you here without your consent, in which case this action is much more critical.

Are you sure you want to commit these changes anyway? This may result in unexpected and undesired results.
-----------------------------------------------------

Comment 1

[Frédéric Buclin]

Seems to be bmo specific. I cannot reproduce upstream, neither on Bugzilla 3.3.3, nor 3.2.2.

Comment 2

[Frédéric Buclin]

I also tried on landfill, and I still cannot reproduce. But I can indeed reproduce the problem on bmo.

Comment 3

[Dave Miller [:justdave]]

Could this be related to the CSRF tokens ocassionally getting written to the slave instead of the master?  bmo has multiple slaves, so it would be more obvious.

Comment 4

[Frédéric Buclin]

Yes, I'm pretty sure it's the same issue, now that we have identified the problem.

Comment 5

[Dave Miller [:justdave]]

The fix from bug 476943 has been deployed on bmo now, so this problem should be gone on bmo now.