| Summary | Cannot save preferences after upgrade to 1.2.7. We cannot verify that this request was really sent by you. It could be a malicious request. |
| Queue | Horde Groupware Webmail Edition |
| Queue Version | 1.2.7 |
| Type | Bug |
| State | Resolved |
| Priority | 3. High |
| Owners | Horde Developers (at) , jan (at) horde (dot) org, slusarz (at) horde (dot) org |
| Requester | software-horde (at) interfasys (dot) ch |
| Created | 10/6/10 (5744 days ago) |
| Due | |
| Updated | 3/7/11 (5592 days ago) |
| Assigned | 10/20/10 (5730 days ago) |
| Resolved | 10/21/10 (5729 days ago) |
| Github Issue Link | |
| Github Pull Request | |
| Milestone | 1.2.8 |
| Patch | No |
I just had a new client call me about this issue when she logged into
her webmail. I just wanted to attach my findings. In her case, when i
had Virus Scan turned on to verify and check webpages, this error
appeared, but when i turn it off the problem went away. So it looks
like my issue is when a virus scan program is being utilized to verify
webpages the error occurs. Basically you are creating your own
personal proxy scanner, so this could be why it doesn't think it is
coming from the same source.
Don't know if this helps you at all, just wanted to share my findings.
request..." when trying to delete sync sessions from
Horde/Options/SyncML.
Ticket #9349with regression fixes.
the patches for v1.2.7. Upgraded to v1.2.8 Solve the issues mention
for us. Beter still it solve the Horde installation path issue when
upgrading! :)) WELL done Horde team, THX!
request..." when trying to delete sync sessions from
Horde/Options/SyncML.
Oct 27 22:23:28 direwolf horde[8584]: [horde] Backend of class
SyncML_Backend_Horde created [pid 8584 on line 287 of
"/usr/local/www/horde/lib/SyncML/Backend.php"]
Oct 27 22:23:28 direwolf horde[8584]: [horde] We cannot verify that
this request was really sent by you. It could be a malicious request.
If you intended to perform this action, you can retry it now. [pid
8584 on line 176 of "/usr/local/www/horde/lib/Horde/Notification.php"]
Oct 27 22:23:28 direwolf horde[8584]: [horde] SQL Query by
SyncML_Backend_Horde::getUserAnchors(): SELECT syncml_syncpartner,
syncml_db, syncml_clientanchor, syncml_serveranchor FROM
horde_syncml_anchors WHERE syncml_uid = ?, values: peo [pid 8584 on
line 650 of "/usr/local/www/horde/lib/SyncML/Backend/Horde.php"]
with regression fixes.
patches for v1.2.7. Upgraded to v1.2.8 Solve the issues mention for
us. Beter still it solve the Horde installation path issue when
upgrading! :)) WELL done Horde team, THX!
New Attachment: megapatch.diff
creating a new one
mean. And did you apply all patches?
Applied megapatch.diff from the horde folder
# patch -p0 < megapatch.diff
Tested by creating and deleting an identity and it worked fine
creating a new one
mean. And did you apply all patches?
creating a new one
And did you apply all patches?
creating a new one
with regression fixes.
issues for my installations.
Assigned to Jan Schneider
State ⇒ Feedback
with regression fixes.
http://cvs.horde.org/diff.php/horde/templates/prefs/deleteidentity.inc?rt=horde&r1=1.2.10.1&r2=1.2.10.2&ty=u
http://cvs.horde.org/diff.php/horde/services/prefs.php?rt=horde&r1=1.19.2.19&r2=1.19.2.20&ty=u
Sign link to delete identity with token (
Bug #9289).http://cvs.horde.org/diff.php/horde/templates/prefs/deleteidentity.inc?rt=horder1=1.2.10.1r2=1.2.10.2ty=u
Be more strict when to check for token (
Bug #9289).http://cvs.horde.org/diff.php/horde/services/prefs.php?rt=horder1=1.19.2.19r2=1.19.2.20ty=u
Only displaying personal info was fixed
or the same?
I have the doubt because this seems to be "resolved".
Thanks!
Proper URLs:
http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&r1=1.515.2.625&r2=1.515.2.626&ty=u
http://cvs.horde.org/diff.php/horde/services/prefs.php?rt=horde&r1=1.19.2.18&r2=1.19.2.19&ty=u
Proper URLs:
So I checked out the file 1.19.2.19 directly from CVS.
The change fixes the malicious request error message when entering the
preferences->personal information screens.
However it doesn't allow an identity to be deleted. Users still get
the malicious request error message when they try and delete an
identity.
State ⇒ Resolved
Assigned to Michael Slusarz
Proper URLs:
http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&r1=1.515.2.625&r2=1.515.2.626&ty=u
http://cvs.horde.org/diff.php/horde/services/prefs.php?rt=horde&r1=1.19.2.18&r2=1.19.2.19&ty=u
Bug: 9289Fix errors introduced with the v3.3.9 prefs form token changes.
http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horder1=1.515.2.625r2=1.515.2.626ty=u
http://cvs.horde.org/diff.php/horde/services/prefs.php?rt=horder1=1.19.2.18r2=1.19.2.19ty=u
Unfortunately the diff link to the commit message below is broken
and the CVS web browse also doesn't seem to work.
http://cvs.horde.org/diff.php/horde/templates/prefs/begin.inc?rt=horde&r1=1.13.2.7&r2=1.13.2.8&ty=u
This started happening the beginning of September this year.
servers, it doesn't appear to be the cause as adding the full tag
does not change the symptoms for those who processed the short tag
and it doesn't stop the error message from being displayed.
I added the supposed fix (long tags) and it didn't help. Unfortunately
the diff link to the commit message below is broken and the CVS web
browse also doesn't seem to work.
; NOTE: Using short tags should be avoided
Clear
servers, it doesn't appear to be the cause as adding the full tag does
not change the symptoms for those who processed the short tag and it
doesn't stop the error message from being displayed.
; NOTE: Using short tags should be avoided
Clear
; For deployment on PHP servers which are not under your control,
because short tags may not
; be supported on the target server.
So true for Horde users on a normal webhoster plan
; For portable, redistributable code, be sure not to use short tags.
PLZ
not disappear..
was seeing the preferences save successfully. I added the full form
and the symptoms didn't change. It still displays the warning in the
personal information preferences screen.
Under Options/SyncML
When trying to delete sync session data, I get the following response:
"We cannot verify that...."
State ⇒ Assigned
Assigned to
Milestone ⇒ 1.2.8
Bug: 9289Don't use short tag.
http://cvs.horde.org/diff.php/horde/templates/prefs/begin.inc?rt=horder1=1.13.2.7r2=1.13.2.8ty=u
Our server doesn't support the php short tag :)
I can confirm that the error message doesn't go away.
Also, I didn't find any other short tags in the code.
In the templates/prefs/begin.inc file, I have change this line :
<input type="hidden" name="horde_prefs_token" value="<? echo
Horde::getRequestToken('horde_prefs') ?>" />
by :
<input type="hidden" name="horde_prefs_token" value="<?php echo
Horde::getRequestToken('horde_prefs') ?>" />
Now, users can change their preferences, but the error message does
not disappear..
Best regards.
They get the dreaded "We cannot verify that this request was really
sent by you. It could be a malicious request. If you intended to
perform this action, you can retry it now"
pages of both Global and Mail options.
The user can save changes to their preferences though. The warning
shows on each redisplay of the page from first entering it to saving
changes.
Deleting an identity doesn't appear to work.
Priority ⇒ 3. High
State ⇒ Unconfirmed
Patch ⇒ No
Milestone ⇒
Summary ⇒ Cannot save preferences after upgrade to 1.2.7. We cannot verify that this request was really sent by you. It could be a malicious request.
Type ⇒ Bug
Queue ⇒ Horde Groupware Webmail Edition
They get the dreaded "We cannot verify that this request was really
sent by you. It could be a malicious request. If you intended to
perform this action, you can retry it now"
It also happens without having to save anything, by just going to the page:
services/prefs.php?app=imp&group=identities
There is nothing in the Horde log, appart from
IMAP errors: SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
I've tried disabling tokens, cookies, nothing helped.
The server is running a dual IP stack (v4 and v6). Net_DNS has been
removed because it doesn't work with IPv6.
We're using PHP sessions.