The following comments from the translate-pootle mailing list address the issue of 1.2 vs 1.1 version of Django and the required fixes: http://docs.djangoproject.com/en/1.1/ref/contrib/csrf/ http://docs.djangoproject.com/en/dev/ref/contrib/csrf/ Since I couldn't find any appropriate rpm packages for Django 1.2, I am unable at this point to update Django, and therefore applied the following (ugly) fix, and now I can review suggestions again. In pootle/html/js/translatepage.js: /* Uncomment when using Django 1.2 or later */ // if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) { // // Only send the token to relative URLs i.e. locally. // xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken')); // } /* Uncomment when using Django 1.1 or earlier */ if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) { // Only send the token to relative URLs i.e. locally. xhr.setRequestHeader("X-CSRFToken", $("#csrfmiddlewaretoken").val()); } Now I have to remember to change it back when I finally do upgrade Django... (>_<) So if you can incorporate a more beautiful fix in the next Pootle release, that would be tremendously helpful. Maybe the following information can help you. With your CSRF fix in translatepage.js unchanged, the X-CSRFToken in the request header is null: X-CSRFToken:null X-Requested-With:XMLHttpRequest The relevant code in Django corresponding to the script csrf.py mentioned in the other thread, seems for Django 1.1.4 to be django/contrib/csrf/middleware.py: csrf_token = _make_token(session_id) # check incoming token request_csrf_token = request.POST.get('csrfmiddlewaretoken', '') if request_csrf_token == "": # Fall back to X-CSRFToken, to make things easier for AJAX request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '') if request_csrf_token == "": return HttpResponseForbidden(_ERROR_MSG) if request_csrf_token != csrf_token: return HttpResponseForbidden(_ERROR_MSG) Cecilia
Please see upstream bug: http://bugs.locamotion.org/show_bug.cgi?id=1920
pootle-2.1.6-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/pootle-2.1.6-1.el6
Fedora EPEL 5 changed to end-of-life (EOL) status on 2017-03-31. Fedora EPEL 5 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora or Fedora EPEL, please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.