Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

phpmyadmin app installer broken due to CTK CSRF protection #14

Closed
brianmcdonnell opened this Issue · 3 comments

3 participants

@brianmcdonnell

The phpmyadmin app installer is broken in cherokee 1.2.101.

The installer configuration screen sequence fails after the user submits the virtual host for the install. The form attempts to submit a POST to:

/market/install/target-selection/apply?key=123456abc

however it receives a http 404 in return. The 404 can only been seen in the javascript console as this is an ajax call. The installation cannot proceed beyond this point.

This bug happens because of CSRF protection added to CTK appends the get parameter 'key=123456abc' onto the form submission. Note this changeset.
cherokee/CTK@10cd5bf#CTK/Submitter.py

Meanwhile the phpmyadmin installer app publishes the following regex to CTK/Server.py

in phpmyadmin app install dir. target.py:293

CTK.publish ('^%s$' % (URL_TARGET_APPLY), ...)

where

URL_TARGET_APPLY='/market/install/target-selection/apply'

Note the trailing '$' on the regex will mean that the published url will not match the url submitted by the form due to the addition of the 'key' paramater - hence the 404.

@brianmcdonnell

Workaround

The cherokee admin site is written in python and is separate to the cherokee web server. It is possible to edit the cherokee python implementation to disable CSRF protection as follows:

/usr/share/cherokee/admin/server.py (approx line 85).
Change:

CTK.init (host="localhost", port=int(scgi_port), sec_cookie=True, sec_submit=True)

to

CTK.init (host="localhost", port=int(scgi_port), sec_cookie=True, sec_submit=False)

Changing the sec_submit to False prevents the addition of the CSRF 'key' GET parameter being appended to form submission URLs.

After restarting cherokee-admin it is now possible to install phpmyadmin on cherokee 1.2.101.

Removing unfinished and orphaned apps.

People have reported problems with removing unfinished and orphaned apps from the market here:
http://code.google.com/p/cherokee/issues/detail?id=1296

I was also having this problem with my failed phpmyadmin installs. Once I had disabled CSRF protection using the steps above this problem was resolved.

Re-enable CSRF protection when finished installing/removing market apps.

CSRF protection is a good thing and it should be re-enabled once you have finished installing/removing apps via the market.

@Daniel15

It might be worth raising a bug on the Cherokee bug tracker as I'm not sure how active the developers are on here.

@pigmej
Collaborator

It's closed, since patches are in dev/master branch already.

That's what fixed it: cherokee/CTK#2

@pigmej pigmej closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.