Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
phpmyadmin app installer broken due to CTK CSRF protection #14
The phpmyadmin app installer is broken in cherokee 1.2.101.
The installer configuration screen sequence fails after the user submits the virtual host for the install. The form attempts to submit a POST to:
This bug happens because of CSRF protection added to CTK appends the get parameter 'key=123456abc' onto the form submission. Note this changeset.
Meanwhile the phpmyadmin installer app publishes the following regex to CTK/Server.py
in phpmyadmin app install dir. target.py:293
CTK.publish ('^%s$' % (URL_TARGET_APPLY), ...)
Note the trailing '$' on the regex will mean that the published url will not match the url submitted by the form due to the addition of the 'key' paramater - hence the 404.
The cherokee admin site is written in python and is separate to the cherokee web server. It is possible to edit the cherokee python implementation to disable CSRF protection as follows:
/usr/share/cherokee/admin/server.py (approx line 85).
CTK.init (host="localhost", port=int(scgi_port), sec_cookie=True, sec_submit=True)
CTK.init (host="localhost", port=int(scgi_port), sec_cookie=True, sec_submit=False)
Changing the sec_submit to False prevents the addition of the CSRF 'key' GET parameter being appended to form submission URLs.
After restarting cherokee-admin it is now possible to install phpmyadmin on cherokee 1.2.101.
Removing unfinished and orphaned apps.
People have reported problems with removing unfinished and orphaned apps from the market here:
I was also having this problem with my failed phpmyadmin installs. Once I had disabled CSRF protection using the steps above this problem was resolved.
Re-enable CSRF protection when finished installing/removing market apps.
CSRF protection is a good thing and it should be re-enabled once you have finished installing/removing apps via the market.