claas
22 בדצמבר, 2024, 9:07pm
1
We’re using Discourse Docker and getting HTTP 403 since yesterday (2024-12-21) when trying to login or (for those already logged in) to post a message. The error response is ["BAD CSRF"], which makes me think this security fix may have caused this regression:
committed 04:14PM - 19 Dec 24 UTC
Is anybody else experiencing these?
PS: The Discourse instance exists since 2020, and is updated automatically every night.
לייק 1
claas
22 בדצמבר, 2024, 9:08pm
2
Maybe this will fix it in 3.3.4?
stable ← backport-nginx-fix
merged 09:12PM - 22 Dec 24 UTC
The security fix in 15b43a2 also introduced some unrelated refactoring to the fi… le, which seems to be causing issues in some environments. This commit reverts the refactoring, and applies the security fix to each block individually.
See also:
I suspect the issue here is not the DiscourseConnect security fix but rather the nginx change. On tests-passed we had to make a followup on Thursday because it was causing problems on some environments and another user on Github noted CSRF issues.
I have a backport ready for that: https://github.com/discourse/discourse/pull/30410 , it should be merged shortly (once someone in the team approves it, though it’s Sunday for most people). You’re welcome to give that branch a try with your SSO set up @…
2 לייקים
claas
24 בדצמבר, 2024, 9:54am
4
@sam Thank you, I just verified and I can log in again in 3.3.3 + 1, so the PR mentioned above resolved the issue.
4 לייקים