Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF errors after upgrading to 4.13 #7962

Closed
2 tasks done
Nutomic opened this issue Aug 3, 2022 · 3 comments
Closed
2 tasks done

CSRF errors after upgrading to 4.13 #7962

Nutomic opened this issue Aug 3, 2022 · 3 comments
Labels
duplicate Similar issue or pull request already exists.

Comments

@Nutomic
Copy link

Nutomic commented Aug 3, 2022
edited

Describe the issue

I upgraded an existing Weblate installation from 4.8.1-2 to 4.13.1-2. Its installed with Docker, and before upgrading everything worked fine. I didnt change anything about the configuration, and the problem happens in different browsers.

I already tried

  • I've read and searched the documentation.
  • I've searched for similar issues in this repository.

Steps to reproduce the behavior

  1. Go to https://weblate.yerbamate.ml/contact/
  2. fill in the form and press send
  3. See error "CSRF check failed. The request was interrupted."

The same problem happens also for register, login and probably other forms.

Expected behavior

No response

Screenshots

No response

Exception traceback

No response

How do you run Weblate?

Docker container

Weblate versions

  • Weblate: 4.13.1
  • Django: 4.0.6
  • siphashc: 2.1
  • translate-toolkit: 3.7.1
  • lxml: 4.6.5
  • Pillow: 9.2.0
  • bleach: 5.0.1
  • python-dateutil: 2.8.2
  • social-auth-core: 4.3.0
  • social-auth-app-django: 5.0.0
  • django-crispy-forms: 1.14.0
  • oauthlib: 3.2.0
  • django-compressor: 4.0
  • djangorestframework: 3.13.1
  • django-filter: 22.1
  • django-appconf: 1.0.5
  • user-agents: 2.2.0
  • filelock: 3.7.1
  • jellyfish: 0.9.0
  • openpyxl: 3.0.10
  • celery: 5.2.7
  • kombu: 5.2.4
  • translation-finder: 2.13
  • weblate-language-data: 2022.5
  • html2text: 2020.1.16
  • pycairo: 1.21.0
  • pygobject: 3.42.1
  • diff-match-patch: 20200713
  • requests: 2.28.1
  • django-redis: 5.2.0
  • hiredis: 2.0.0
  • sentry_sdk: 1.6.0
  • Cython: 0.29.30
  • misaka: 2.1.1
  • GitPython: 3.1.27
  • borgbackup: 1.2.1
  • pyparsing: 3.0.9
  • pyahocorasick: 1.4.4
  • python-redis-lock: 3.7.0
  • charset-normalizer: 2.1.0
  • Python: 3.10.5
  • Git: 2.30.2
  • psycopg2: 2.9.3
  • psycopg2-binary: 2.9.3
  • phply: 1.2.5
  • ruamel.yaml: 0.17.21
  • tesserocr: 2.5.2
  • boto3: 1.24.23
  • zeep: 4.1.0
  • aeidon: 1.11
  • iniparse: 0.5
  • mysqlclient: 2.1.1
  • Mercurial: 6.1.4
  • git-svn: 2.30.2
  • git-review: 2.3.1
  • Redis server: 5.0.14
  • PostgreSQL server: 12.10
  • Database backends: django.db.backends.postgresql
  • Cache backends: default:RedisCache, avatar:FileBasedCache
  • Email setup: django.core.mail.backends.smtp.EmailBackend: postfix
  • OS encoding: filesystem=utf-8, default=utf-8
  • Celery: redis://redis:6379/2, redis://redis:6379/2, regular
  • Platform: Linux 5.4.0-110-generic (x86_64)

Weblate deploy checks

System check identified some issues:

WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.

INFOS:
?: (weblate.I021) Error collection is not set up, it is highly recommended for production use
HINT: https://docs.weblate.org/en/weblate-4.13.1/admin/install.html#collecting-errors
?: (weblate.I028) Backups are not configured, it is highly recommended for production use
HINT: https://docs.weblate.org/en/weblate-4.13.1/admin/backup.html

System check identified 5 issues (1 silenced).

Additional context

Security warnings seem unrelated to the problem. I also tried downgrading to an older version, but unfortunately that fails due to database migrations, and i didnt make a backup before upgrading.
@Nutomic Nutomic changed the title CSRF error on login after upgrading to 4.13 CSRF errors after upgrading to 4.13 Aug 3, 2022
@Nutomic
Copy link
Author

Nutomic commented Aug 4, 2022

Someone pointed out this old issue to me: #1912

Based on comments there, i set CSRF_TRUSTED_ORIGINS = ["https://weblate.yerbamate.ml"] in settings-override.py and it fixed the problem. Still keeping the issue open, as this seems like a regression, and the settings override was not necessary in previous versions.

@nijel
Copy link
Member

nijel commented Aug 10, 2022

This really should not be needed if the URL matches what is configured by WEBLATE_ENABLE_HTTPS and WEBLATE_SITE_DOMAIN.

@nijel nijel added the duplicate Similar issue or pull request already exists. label Aug 11, 2022
@nijel
Copy link
Member

nijel commented Aug 11, 2022

Duplicate of #1912

@nijel nijel marked this as a duplicate of #1912 Aug 11, 2022
@nijel nijel closed this as not planned Won't fix, can't repro, duplicate, stale Aug 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate Similar issue or pull request already exists.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nijel @Nutomic