phpmyadmin app installer broken due to CTK CSRF protection #14

brianmcdonnell opened this Issue Dec 1, 2011 · 3 comments


None yet

3 participants


The phpmyadmin app installer is broken in cherokee 1.2.101.

The installer configuration screen sequence fails after the user submits the virtual host for the install. The form attempts to submit a POST to:


however it receives a http 404 in return. The 404 can only been seen in the javascript console as this is an ajax call. The installation cannot proceed beyond this point.

This bug happens because of CSRF protection added to CTK appends the get parameter 'key=123456abc' onto the form submission. Note this changeset.

Meanwhile the phpmyadmin installer app publishes the following regex to CTK/

in phpmyadmin app install dir.

CTK.publish ('^%s$' % (URL_TARGET_APPLY), ...)



Note the trailing '$' on the regex will mean that the published url will not match the url submitted by the form due to the addition of the 'key' paramater - hence the 404.



The cherokee admin site is written in python and is separate to the cherokee web server. It is possible to edit the cherokee python implementation to disable CSRF protection as follows:

/usr/share/cherokee/admin/ (approx line 85).

CTK.init (host="localhost", port=int(scgi_port), sec_cookie=True, sec_submit=True)


CTK.init (host="localhost", port=int(scgi_port), sec_cookie=True, sec_submit=False)

Changing the sec_submit to False prevents the addition of the CSRF 'key' GET parameter being appended to form submission URLs.

After restarting cherokee-admin it is now possible to install phpmyadmin on cherokee 1.2.101.

Removing unfinished and orphaned apps.

People have reported problems with removing unfinished and orphaned apps from the market here:

I was also having this problem with my failed phpmyadmin installs. Once I had disabled CSRF protection using the steps above this problem was resolved.

Re-enable CSRF protection when finished installing/removing market apps.

CSRF protection is a good thing and it should be re-enabled once you have finished installing/removing apps via the market.


It might be worth raising a bug on the Cherokee bug tracker as I'm not sure how active the developers are on here.

pigmej commented Aug 11, 2012

It's closed, since patches are in dev/master branch already.

That's what fixed it: cherokee/CTK#2

@pigmej pigmej closed this Aug 11, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment