[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[EP-tech] Ask about CSRF. Always get error when edit phrases Editor
- Subject: [EP-tech] Ask about CSRF. Always get error when edit phrases Editor
- From: drn at ecs.soton.ac.uk (David R Newman)
- Date: Sat, 25 Jul 2020 14:34:14 +0100
- In-reply-to: <CACOEPmPqvFWOhUipnUFjRbHjN=BUb9FjSgy6mRObqop4A=PPfA@mail.gmail.com>
- References: <CACOEPmOmOMHem7cvPiwNse-LjsWwo5fCXYktNkteqKRFMjw_hw@mail.gmail.com> <41a6f184-cbe3-0958-54d0-4749658c3afb@ecs.soton.ac.uk> <EMEW3|31abb7849faae3b48864cf64ebdbb07cw6M9Gw14eprints-tech-bounces|ecs.soton.ac.uk|CACOEPmOmOMHem7cvPiwNse-LjsWwo5fCXYktNkteqKRFMjw_hw@mail.gmail.com> <EMEW3|dd50bca1f74f4d09d6881712f350e5fbw6MDv803drn|ecs.soton.ac.uk|41a6f184-cbe3-0958-54d0-4749658c3afb@ecs.soton.ac.uk> <CACOEPmPqvFWOhUipnUFjRbHjN=BUb9FjSgy6mRObqop4A=PPfA@mail.gmail.com> <2ad2b497-8a8f-0730-eff0-ab7884fa7143@ecs.soton.ac.uk>
Hi Agung PW,
Although the filename as it appears in the HTML source is auto-3.4.0.js,
the actual file that is loaded is
EPRINTS_PATH/archives/ARCHIVE_NAME/html/en/javascript/auto.js and this
is the file you need to delete.? EPrints does some clever URL rewriting
to load auto.js rather than trying to load auto-3.4.0.js that won't
exist.? The reason for this is so that if you upgrade EPrints the
filename in the HTML source will change one with the new version number
and ensure you do no use the cached JavaScript from the old version.?
auto.js is generated by concatenating all the files in
lib/static/javascript/auto/ flavours/pub_lib/static/javascript/auto/ and
archives/ARCHIVE_NAME/cfg/static/javascript/.? If any file appears in
more the one directory the one included in auto.js comes from the later
directory.? This is why I said that one issue might be that you updated
the files in lib/static/javascript/auto/ but you might have versions of
these files in archives/ARCHIVE_NAME/cfg/static/javascript/ and these
would be used in the concatenated auto.js, so would still not fix your
missing CSRF protection code issue.
Regards
David Newman
On 25/07/2020 13:36, Ajunk Pracetio wrote:
> Hi David,
> You said I can delete auto.js file and will get new version of
> auto-3.4.0.js that has the CSRF protection code. If I delete the file,
> how exactly I can get new auto-3.4.0.js that has the CSRF protection
> code?
>
> Thank you
>
> Regards,
> Agung PW
>
> On Thu, Jul 23, 2020 at 7:59 PM David R Newman via Eprints-tech
> <eprints-tech at ecs.soton.ac.uk <mailto:eprints-tech at ecs.soton.ac.uk>>
> wrote:
>
> Hi Agung Prasetyo Wibowo,
>
> This could be one of two issues:
>
> 1. You have updated lib directory versions of the various
> JavaScript files that are patched in the two GitHub links you
> included but there are other versions that take precedence so
> these changes will not propagate through to the version at
> *MailScanner has detected a possible fraud attempt from "hostname"
> claiming to be* http://HOSTNAME/javascript/auto-3.4.0.js
> <http://HOSTNAME/javascript/auto-3.4.0.js>.? Look for files with
> the same name in the equivalent pub_lib, site_lib or
> archives/ARCHIVE_NAME directories.
>
> 2. auto-3.4.0.js is still cached and you need to hard refresh the
> page to get these changes to come.? I have tried doing this as I
> know your repository hostname (i.e. Ctrl+Shift+R for a hard
> refresh) and this seems to make no difference and I cannot find
> the string 'csrf' anywhere in auto-3.4.0.js.? One other issue with
> caching might be that
> archives/ARCHIVE_NAME/html/en/javascript/auto.js and the files in
> archives/ARCHIVE_NAME/html/en/javascript/auto/ cannot be
> overwritten due to a file permission issues.? If you delete all
> these files, this may resolve the issue and give you the new
> version of auto-3.4.0.js that has the CSRF protection code.
>
> Regards
>
> David Newman
>
> On 23/07/2020 09:13, Ajunk Pracetio via Eprints-tech wrote:
>> Hi,
>> I'd like to ask. My EPrints version is 3.4. I want to edit one of
>> the field on phrases editor, but always get error
>>
>> *Cross-Site Request Forgery (CSRF) was detected whilst processing
>> your last request and therefore its action was not authorised. *
>>
>> The screenshot like this :
>> image.png
>> I already try
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints3.4%2Fcommit%2F95ed6bee24fb3c138ada80684f0503e54f739c41&data=01%7C01%7C%7C1b9e510c52b8459e58f008d8309f6ce1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=DbGBxRGO%2F4pP7hWTQxIKGXUe9rfaZSCDCtk%2BaCepdP4%3D&reserved=0
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints3.4%2Fcommit%2F95ed6bee24fb3c138ada80684f0503e54f739c41&data=01%7C01%7C%7C1b9e510c52b8459e58f008d8309f6ce1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=DbGBxRGO%2F4pP7hWTQxIKGXUe9rfaZSCDCtk%2BaCepdP4%3D&reserved=0>
>> and
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints3.4%2Fcommit%2F6968a5690ccd01f6ffe819a5a626ebe3b04c9ed1&data=01%7C01%7C%7C1b9e510c52b8459e58f008d8309f6ce1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=mia4u07bheCl8J26%2BRtRmgD1%2FA1dsVtamZPGceQn42c%3D&reserved=0
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints3.4%2Fcommit%2F6968a5690ccd01f6ffe819a5a626ebe3b04c9ed1&data=01%7C01%7C%7C1b9e510c52b8459e58f008d8309f6ce1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=mia4u07bheCl8J26%2BRtRmgD1%2FA1dsVtamZPGceQn42c%3D&reserved=0>,
>> but error still persists.
>>
>> Please help about this issue.
>>
>> Thank you.
>>
>> Best regards,
>> Agung Prasetyo Wibowo.
>>
>> *** Options:http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
>> *** Archive:https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=01%7C01%7C%7C1b9e510c52b8459e58f008d8309f6ce1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=b7w1Ze3CoiZ4W8RtenF%2FfeMu9gu%2BX2XrDwCXci5rO38%3D&reserved=0 <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=01%7C01%7C%7C1b9e510c52b8459e58f008d8309f6ce1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=b7w1Ze3CoiZ4W8RtenF%2FfeMu9gu%2BX2XrDwCXci5rO38%3D&reserved=0>
>> *** EPrints community wiki:https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=01%7C01%7C%7C1b9e510c52b8459e58f008d8309f6ce1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=Ymw5kdm19tzzVLdlhxYNg914E%2BZ2l6mjzW2de3rr9zQ%3D&reserved=0 <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=01%7C01%7C%7C1b9e510c52b8459e58f008d8309f6ce1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=Ymw5kdm19tzzVLdlhxYNg914E%2BZ2l6mjzW2de3rr9zQ%3D&reserved=0>
>
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=01%7C01%7C%7C1b9e510c52b8459e58f008d8309f6ce1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=dFmXz7cyXuBNrIHfAk0sJZztXtaEQ0KLc1aCDlNlJ5w%3D&reserved=0>
> Virus-free. https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2F&data=01%7C01%7C%7C1b9e510c52b8459e58f008d8309f6ce1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=Bf607gVV4Gx%2FDw10XFn6mpDodcmfZPPpaaxnnuLdEZ4%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=01%7C01%7C%7C1b9e510c52b8459e58f008d8309f6ce1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=dFmXz7cyXuBNrIHfAk0sJZztXtaEQ0KLc1aCDlNlJ5w%3D&reserved=0>
>
>
> <#m_3887228293821871781_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> *** Options:
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> *** Archive: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=01%7C01%7C%7C1b9e510c52b8459e58f008d8309f6ce1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=b7w1Ze3CoiZ4W8RtenF%2FfeMu9gu%2BX2XrDwCXci5rO38%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=01%7C01%7C%7C1b9e510c52b8459e58f008d8309f6ce1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=b7w1Ze3CoiZ4W8RtenF%2FfeMu9gu%2BX2XrDwCXci5rO38%3D&reserved=0>
> *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=01%7C01%7C%7C1b9e510c52b8459e58f008d8309f6ce1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=Ymw5kdm19tzzVLdlhxYNg914E%2BZ2l6mjzW2de3rr9zQ%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=01%7C01%7C%7C1b9e510c52b8459e58f008d8309f6ce1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=Ymw5kdm19tzzVLdlhxYNg914E%2BZ2l6mjzW2de3rr9zQ%3D&reserved=0>
>
--
This email has been checked for viruses by AVG.
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.avg.com%2F&data=01%7C01%7C%7C1b9e510c52b8459e58f008d8309f6ce1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=N0vLBUqvpaBhaSFXPRKORFp7bzDrqp7G4ijATLKmyVE%3D&reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20200725/51b93691/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 23116 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20200725/51b93691/attachment-0001.png