steps to reproduce: 1. User is *not* logged-in. 2. Load https://addons-next.allizom.org/en-US/developers/upload/655732f159b7453f9a91eee9d6dc40e4 expected behavior: User is redirected to the log in page actual behavior: Page is a 403 and shows 'Internal server error'
The 403 error is due to a CSRF validation failure to https://addons-next.allizom.org/en-US/developers/upload/655732f159b7453f9a91eee9d6dc40e4/json Normally I would say that CSRF protection isn't needed on read-only pages. However there are cross-domain attacks that source json blobs, e.g. a malicious page would include something like <script src="https://addons-next.allizom.org/en-US/developers/upload/655732f159b7453f9a91eee9d6dc40e4/json"> then an attacker would modify JS object handlers to read the data. The normal mitigation to this type of attack is to prefix the blob to prevent the JS interpreter from evaluating the object e.g. while();//REST OF DATA The clientside code would then strip out the "while();//" from the XHR response. Since the CSRF token checking is preventing the attack right now... probably no reason to change it. I did notice that other views in the file are marked @csrf_view_exempt As for the login issue, the supplied patch should fix it
Andy, can you review dchan's patch?
Assignee: nobody → dchan
Whiteboard: [patch][needs review]
It's a holiday in Canada. kicking to next week.
Target Milestone: 6.1.4 → 6.1.5
Assignee: dchan → amckay
Target Milestone: 6.1.5 → 6.1.6
Comment on attachment 541424 [details] [diff] [review] require login to view validation results Review of attachment 541424 [details] [diff] [review]: -----------------------------------------------------------------
Attachment #541424 - Flags: review+
http://github.com/jbalogh/zamboni/commit/8e034f Thanks dchan.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
verified at https://addons.allizom.org/en-US/firefox/users/login?to=/en-US/developers/addon/adblock-plus/file/121073/validation
Status: RESOLVED → VERIFIED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.