Daemon News Ezine BSD News BSD Mall BSD Support Forum BSD Advocacy BSD Updates
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Serious braindamage in the send-pr web interface

On Tue, Jun 21, 2005 at 03:52:02PM -0400, Martin Cracauer wrote:
> The security code of the web interface seems to really screw people
> over (the image displaying a text that you have to enter).
> 
> It goes like this:
> - open web page
> - enter PR
> - enter security code but get anything wrong (case is sufficient)
> 
> You get an error complaing about the security code.
> 
> Press back.  Your carefully edited PR is still there.  Good.
> 
> However, it displays the same image and the same security code as
> before, although send-pr seems to have generated a new one internally.
> The new code is not displayed, however, since there is no expire
> header on the old one and you just hit the "back" button.
> 
> So it displays the old code to the user while it already expects a new
> one.
> 
> So it rejects everything that comes out of the sequence "back button"
> and resubmitting, so matter how often you do it.  It never displays
> its currently expected code in an image in the user's browser, it
> reuses the first image every time.
> 
> If you figure that this is the problem you press reload - and your PR
> is gone :-/
> 
> I think this might be fixable as easy as setting an expire header on
> the image.

It has Pragma: no-cache and a dummy '?' in the URL.  What does an
"expire header" that expires immediatelylook like?

> Also, it shouldn't be all-uppercase and case sensitive, that is
> pointless. 

Point taken; I actually remember committing lowercase letters.
Interesting that it never really happened...

Ceri

PS  www issues go to www@, not hackers@.
-- 
Only two things are infinite, the universe and human stupidity, and I'm
not sure about the former.			  -- Einstein (attrib.)

Attachment: pgpkOXosqAkV2.pgp
Description: PGP signature