A CSRF never ending loop happened to me earlier today, on dev.t.o.
I had logged in chromium-browser to dev.t.o as user "xavi" (no admin perms).
I needed to log in with my other user "xavidp" (the one with admin perms), so that I opened a private browsing window of chromium-browser. I went to visit the same page I had visited with the standard user where I had to fix some perms of that wiki page ( https://dev.tiki.org/Wish%20Report%20Tpl ). Clicked at "login" link at the top bar, which sent me to https://dev.tiki.org/login , provided the credentials, and then I got the message about CSRF at the url https://dev.tiki.org/tiki-login.php :
Potential cross-site request forgery (CSRF) detected. Operation blocked. Reloading the page may help.
Every time I tried (F5, visiting somewhere else within dev.t.o) and attempting to log in, I got the same CSRF error message reproduced, and I couldn't log in as user "xavidp".
I had to open a new browser (Firefox, in this case), and login as "xavidp" was successful.
I wonder what was happening.
I tried again, at the time of reporting this issue, and I got the issue reproduced again.
FYI: I had seen other weird CSRF false positives in other contexts in a 20.x tiki I use at work (behind a firewall). I 'll keep an eye open to add more details when I hit this bug again in other use cases. But there is something wrong still in the code in 20.x.
Show.tiki.org snapshot creation is in progress... Please monitor http://xavi-9794-7133.show2.tiki.org/snapshots/ for progress. Note that if you get a popup asking for a username/password, please just enter "show" and "show".
Password reset was successful
Password reset failed
Show.tiki.org instance destruction is in progress... Please wait...
The public/private keys configured to connect to show2.tikiwiki.org were not accepted. Please make sure you are using RSA keys. Thanks.
Unable to connect to show2.tikiwiki.org. Please let us know of the problem so that we can do something about it. Thanks.
Show.tiki.org is currently under maintenance. Sorry for the inconvenience.
Unable to get information from show2.tikiwiki.org. Please let us know of the problem so that we can do something about it. Thanks.
Show.tiki.org is in the progress of creating the new instance. Please continue waiting for a minute or two. If this continues on for more than 10 minutes, please let us know of the problem so that we can do something about it. Thanks.
To help developers solve the bug, we kindly request that you demonstrate your bug on a show2.tikiwiki.org instance. To start, simply select a version and click on "Create show2.tikiwiki.org instance". Once the instance is ready (in a minute or two), as indicated in the status window below, you can then access that instance, login (the initial admin username/password is "admin") and configure the Tiki to demonstrate your bug. Priority will be given to bugs that have been demonstrated on show2.tikiwiki.org.
The URL for the show2.tikiwiki.org instance that demonstrates this bug is at: http://xavi-9794-7133.show2.tiki.org. Note that if you get a popup asking for a username/password, please just enter "show" and "show". This is different from the initial login and password for a new Tiki which is "admin" and "admin".
For the install log, see http://xavi-9794-7133.show2.tiki.org/info.txt
Note that if you see PHP errors or a Tiki claiming to be missing third party software, the instance creation is probably not finished. Please wait a couple minutes and reload.
Snapshots are database dumps of the configuration that developers can download for debugging. Once you have reproduced your bug on the show2.tikiwiki.org instance, create a snapshot that can then be downloaded by developers for further investigation.
Snapshots can be accessed at: http://xavi-9794-7133.show2.tiki.org/snapshots/. Note that if you get a popup asking for a username/password, please just enter "show" and "show".Create new snapshot
|No attachments for this item|