Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade can stall when checking permissions on csrf-secret.php #3253

Closed
eschoeller opened this issue Feb 11, 2020 · 7 comments
Closed

Upgrade can stall when checking permissions on csrf-secret.php #3253

eschoeller opened this issue Feb 11, 2020 · 7 comments
Assignees
Labels
bug Undesired behaviour installer Installation issue resolved A fixed issue
Milestone

Comments

@eschoeller
Copy link

I do not have a csrf-secret.php file. I don't really know what it is. I do have a include/vendor/csrf/csrf-magic.php file, and a csrf-magic.js file, which came with the cacti distribution.

The installer fails to move forward when it sees the permissions for this file are incorrect, because it doesn't exist. My work-around to move forward with the install was simple:

$ sudo touch /cacti/cacti-1.2.9-prod/include/vendor/csrf/csrf-secret.php
$ sudo chown apache:apache /cacti/cacti-1.2.9-prod/include/vendor/csrf/csrf-secret.php

Then a refresh on the permissions requirement and everything was OK. But, if the csrf-secret.php is something I need ... I'd like to know more about it!

@netniV
Copy link
Member

netniV commented Feb 12, 2020

It should be autocreated, but that can only happen if there is a permission to do so. Since it's in a folder that doesn't normally get modified, it has to be done manually. CSRF is used to prevent automated posting by bots.

@eschoeller
Copy link
Author

Well, I got stopped cold in the upgrade because it wasn't there and I had to touch the file to trick the installer. What's the process for creating it manually (with some actual content)? And should I carry this file along with me in upgrades or have a new one generated each time?

@netniV
Copy link
Member

netniV commented Feb 13, 2020

If you've created the file, it should have put some content in it... does it not have content? I don't need to know what it is as it's a secret.

@eschoeller
Copy link
Author

It's empty. But it's owned by root again. I'll change the ownership back to the webserver user and see what might happen ... but I did leave it as owned by the webserver user for awhile and it remained empty. At what point should it be populated with data?

@netniV netniV added bug Undesired behaviour installer Installation issue labels Feb 22, 2020
@netniV netniV self-assigned this Feb 22, 2020
@netniV netniV added this to the 1.2.10 milestone Feb 22, 2020
@TheWitness
Copy link
Member

If you whack the file, and apache can write there, it'll get recreated by the first person who goes to the page I think.

@netniV
Copy link
Member

netniV commented Feb 22, 2020

I'm reviewing all the CSRF code anyway, so I'll see if I can spot anything wrong but I did stumble on this issue myself. You should be allowed to continue without needing the secret file.

@netniV netniV changed the title Upgrade to 1.2.9 stalls on csrf-secret.php Upgrade can stall when checking permissions on csrf-secret.php Feb 23, 2020
@netniV
Copy link
Member

netniV commented Feb 23, 2020

This has now been patched in commit 3f836d9

@netniV netniV closed this as completed Feb 23, 2020
@TheWitness TheWitness added the resolved A fixed issue label Feb 23, 2020
@github-actions github-actions bot locked and limited conversation to collaborators Jun 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Undesired behaviour installer Installation issue resolved A fixed issue
Projects
None yet
Development

No branches or pull requests

3 participants