savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[sr #111059] stop discarding infromation in "Duplicate posts"

From: Ineiev
Subject: [sr #111059] stop discarding infromation in "Duplicate posts"
Date: Mon, 6 May 2024 07:47:14 -0400 (EDT) 
Update of sr #111059 (group administration):

                  Status:                    None => In Progress            
             Assigned to:                    None => ineiev                 

    _______________________________________________________

Follow-up Comment #2:

[reordered]

[comment #0 original submission:]
... 
> what I want to see is a dump of the field changes that were submitted, and
above all the text of the comment that couldn't be posted, because that often
takes a lot of time and thought to compose.

Thank you, done.

...
> I believe I understand the necessity of not performing a ticket update
against stale data.

This feature isn't really intended for dealing with 'stale' data, it's about
posting the same message multiple times, and more important, it is used to
block cross-site scripting.

> ...So possibly "Duplicate post" is being thrown for spurious or excessively
aggressive reasons, like the age of some cookie, or because some server got
rebooted.

It may, but at this point, I have no sufficient data to tell.  The feature
doesn't depend on cookies in the strict sense or on rebooting the server. 
This is how it works.

When a user visits a page containing a form, a form_id token is saved in
Savane database and inserted on the page; when the form is submitted, the
request is only honored when the token is present both in the request and in
the database (e.g. a malicious page from a third party website can't embed
it), and at the same time the token is removed from the database.  Then, a
cron job removes the tokens more than a day old; that period could be
increased, but we should clear them at some point.

I'm not sure how this mechanism can be improved or replaced.

[comment #1 comment #1:]
> ...it does nothing to prevent collisions...

No, it doesn't.  The server could add the previous state to the form and then
check against it, but that would be more than a dozen or two lines of Savane
code.


    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/support/?111059>

_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]