Serious braindamage in the send-pr web interface

[Ceri Davies]

On Tue, Jun 21, 2005 at 03:52:02PM -0400, Martin Cracauer wrote:
> The security code of the web interface seems to really screw people
> over (the image displaying a text that you have to enter).
> 
> It goes like this:
> - open web page
> - enter PR
> - enter security code but get anything wrong (case is sufficient)
> 
> You get an error complaing about the security code.
> 
> Press back.  Your carefully edited PR is still there.  Good.
> 
> However, it displays the same image and the same security code as
> before, although send-pr seems to have generated a new one internally.
> The new code is not displayed, however, since there is no expire
> header on the old one and you just hit the "back" button.
> 
> So it displays the old code to the user while it already expects a new
> one.
> 
> So it rejects everything that comes out of the sequence "back button"
> and resubmitting, so matter how often you do it.  It never displays
> its currently expected code in an image in the user's browser, it
> reuses the first image every time.
> 
> If you figure that this is the problem you press reload - and your PR
> is gone :-/
> 
> I think this might be fixable as easy as setting an expire header on
> the image.

It has Pragma: no-cache and a dummy '?' in the URL.  What does an
"expire header" that expires immediatelylook like?

> Also, it shouldn't be all-uppercase and case sensitive, that is
> pointless. 

Point taken; I actually remember committing lowercase letters.
Interesting that it never really happened...

Ceri

PS  www issues go to www@, not hackers at .
-- 
Only two things are infinite, the universe and human stupidity, and I'm
not sure about the former.			  -- Einstein (attrib.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-bugbusters/attachments/20050621/0e1d4bdc/attachment.bin