Skip to content
This repository

phpmyadmin app installer broken due to CTK CSRF protection #14

Closed
brianmcdonnell opened this Issue December 01, 2011 · 3 comments

3 participants

Brian McDonnell Jędrzej Nowak Daniel Lo Nigro
Brian McDonnell

The phpmyadmin app installer is broken in cherokee 1.2.101.

The installer configuration screen sequence fails after the user submits the virtual host for the install. The form attempts to submit a POST to:

/market/install/target-selection/apply?key=123456abc

however it receives a http 404 in return. The 404 can only been seen in the javascript console as this is an ajax call. The installation cannot proceed beyond this point.

This bug happens because of CSRF protection added to CTK appends the get parameter 'key=123456abc' onto the form submission. Note this changeset.
https://github.com/cherokee/CTK/commit/10cd5bfd5a888bb4e430bab2e6c2f43daa883d57#CTK/Submitter.py

Meanwhile the phpmyadmin installer app publishes the following regex to CTK/Server.py

in phpmyadmin app install dir. target.py:293

CTK.publish ('^%s$' % (URL_TARGET_APPLY), ...)

where

URL_TARGET_APPLY='/market/install/target-selection/apply'

Note the trailing '$' on the regex will mean that the published url will not match the url submitted by the form due to the addition of the 'key' paramater - hence the 404.

Brian McDonnell

Workaround

The cherokee admin site is written in python and is separate to the cherokee web server. It is possible to edit the cherokee python implementation to disable CSRF protection as follows:

/usr/share/cherokee/admin/server.py (approx line 85).
Change:

CTK.init (host="localhost", port=int(scgi_port), sec_cookie=True, sec_submit=True)

to

CTK.init (host="localhost", port=int(scgi_port), sec_cookie=True, sec_submit=False)

Changing the sec_submit to False prevents the addition of the CSRF 'key' GET parameter being appended to form submission URLs.

After restarting cherokee-admin it is now possible to install phpmyadmin on cherokee 1.2.101.

Removing unfinished and orphaned apps.

People have reported problems with removing unfinished and orphaned apps from the market here:
http://code.google.com/p/cherokee/issues/detail?id=1296

I was also having this problem with my failed phpmyadmin installs. Once I had disabled CSRF protection using the steps above this problem was resolved.

Re-enable CSRF protection when finished installing/removing market apps.

CSRF protection is a good thing and it should be re-enabled once you have finished installing/removing apps via the market.

Daniel Lo Nigro

It might be worth raising a bug on the Cherokee bug tracker as I'm not sure how active the developers are on here.

Jędrzej Nowak
Collaborator

It's closed, since patches are in dev/master branch already.

That's what fixed it: cherokee/CTK#2

Jędrzej Nowak pigmej closed this August 11, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.