-
-
Notifications
You must be signed in to change notification settings - Fork 410
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade can stall when checking permissions on csrf-secret.php #3253
Comments
It should be autocreated, but that can only happen if there is a permission to do so. Since it's in a folder that doesn't normally get modified, it has to be done manually. CSRF is used to prevent automated posting by bots. |
Well, I got stopped cold in the upgrade because it wasn't there and I had to touch the file to trick the installer. What's the process for creating it manually (with some actual content)? And should I carry this file along with me in upgrades or have a new one generated each time? |
If you've created the file, it should have put some content in it... does it not have content? I don't need to know what it is as it's a secret. |
It's empty. But it's owned by root again. I'll change the ownership back to the webserver user and see what might happen ... but I did leave it as owned by the webserver user for awhile and it remained empty. At what point should it be populated with data? |
If you whack the file, and apache can write there, it'll get recreated by the first person who goes to the page I think. |
I'm reviewing all the CSRF code anyway, so I'll see if I can spot anything wrong but I did stumble on this issue myself. You should be allowed to continue without needing the secret file. |
This has now been patched in commit 3f836d9 |
I do not have a csrf-secret.php file. I don't really know what it is. I do have a include/vendor/csrf/csrf-magic.php file, and a csrf-magic.js file, which came with the cacti distribution.
The installer fails to move forward when it sees the permissions for this file are incorrect, because it doesn't exist. My work-around to move forward with the install was simple:
Then a refresh on the permissions requirement and everything was OK. But, if the csrf-secret.php is something I need ... I'd like to know more about it!
The text was updated successfully, but these errors were encountered: