[Bug 1160647] Re: request forgery check displayed when only viewing admin pages
Mark Sapiro
mark at msapiro.net
Sun Apr 7 07:19:32 CEST 2013
OK. I finally looked at the code in Python's cgi module. It adds
sys.argv[1:] to the list of query parameters for a GET if and only if
there is no QUERY_STRING in the environment. Apache provides an empty
QUERY_STRING when the URL doesn't have one and lighttpd does not.
This is a bug in lighttpd. RFC 3875 says:
The server MUST set this variable; if the Script-URI does not include
a query component, the QUERY_STRING MUST be defined as an empty
string ("").
I will consider defending against this bug by making scripts/driver drop
all but the first item in sys.argv, but it is really a lighttpd bug, not
a Mailman bug.
Thanks for your help in identifying the underlying issue.
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1160647
Title:
request forgery check displayed when only viewing admin pages
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1160647/+subscriptions
More information about the Mailman-coders
mailing list