Jump to:

10848 Posts in 2516 Topics by 1792 members

All other Modules

SilverStripe Forums » All other Modules » Friendly message at possible CSRF attack

Discuss all other Modules here.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1 2
Go to End
Author Topic: 6278 Views
  • JonoM
    Avatar
    Community Member
    103 Posts

    Re: Friendly message at possible CSRF attack Link to this post

    Thanks Willr!

  • CHD
    Avatar
    Community Member
    217 Posts

    Re: Friendly message at possible CSRF attack Link to this post

    was having this problem too with a "file upload" area using "user forms"

    with small files, all fine.
    larger files caused CSRF ATTACK message.

    updated the php.ini settings with:
    upload_max_filesize = 20M TO upload_max_filesize = 50M
    post_max_size = 20M TO post_max_size = 50M

    ALSO

    max_input_time = 120; (from 60)
    max_execution_time = 120; (from 60)

    All works fine now, no need to disable the security tokens

  • martimiz
    Avatar
    Forum Moderator
    1037 Posts

    Re: Friendly message at possible CSRF attack Link to this post

    Form.php:

    236. if(!$token->checkRequest($request))
    237.    $this->httpError(400, "Security token doesn't match, possible CSRF attack.");

    Should at least nbe internationalized...

    I did create a 400 ErrorPage in the CMS, but that doesn't work: the default RequestHandler::httpError() function just throws the actual error string, and doesn't retrieve the errorpage, only gives you the white screen... The httpError() function in the ContentController does, but that doesn't work for the Form class class. So I did:

    237.    $this->controller->httpError(400, "Security token doesn't match, possible CSRF attack.");

    That works as long as the controller extends ContentController (Page_controller) which it normally does. If not, you could do this:

    237.    $response = ErrorPage::response_for(400);
    238.    throw new SS_HTTPResponse_Exception($response);

    Simple test: temporarily replace

    236. if(!$token->checkRequest($request))

    by

    236. if(!$token->checkRequest($request) || 1)

    All this means hacking - or extending the Form class...

  • martimiz
    Avatar
    Forum Moderator
    1037 Posts

    Re: Friendly message at possible CSRF attack Link to this post

    In a custom Form class it's really simple

    class MyForm extends Form {

       ...

       public function httpError($code, $message = null) {
          $response = ErrorPage::response_for($code);
          if (empty($response)) $response = $message;
          throw new SS_HTTPResponse_Exception($response);
       }
    }

    Will display 400 error page from the CMS...

  • Willr
    Avatar
    Forum Moderator
    5462 Posts

    Re: Friendly message at possible CSRF attack Link to this post

    martimiz - agreed, that message should really use the 400 (or whatever code is most relevant) error page from the CMS. Looks like you have got it working together well, do you want to submit the change as a pull request on github. I think it'll be worth getting into core.

  • martimiz
    Avatar
    Forum Moderator
    1037 Posts

    Re: Friendly message at possible CSRF attack Link to this post

    Willr - yes, I think a pull request would be nice. But I'm not quite sure what should be patched:

    1. the RequestHandler::httpError() method,
    that doesn't use the ErrorPage (don't know if it should or if there might be other situations where it shouldn't?)

    2. the actual check in the Form class,
    that uses $this->httpError() and not $this->controller->httpError(); (would work only if the Form's controller allways extends ContentController

    3. an extra Form::httpError() method?

    Besides: since errorpages don't actually show the error message, wouldn't it be a good idea to at least show the actual errors on dev mode?

    Oh - and I still haven't a clue how to do pull requests...    :-[

    6278 Views
Page: 1 2
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.