10378 Posts in 2194 Topics by 1710 members
| Go to End | ||
| Author | Topic: | 4075 Views |
-
Re: Friendly message at possible CSRF attack
14 June 2011 at 5:57am
was having this problem too with a "file upload" area using "user forms"
with small files, all fine.
larger files caused CSRF ATTACK message.updated the php.ini settings with:
upload_max_filesize = 20M TO upload_max_filesize = 50M
post_max_size = 20M TO post_max_size = 50MALSO
max_input_time = 120; (from 60)
max_execution_time = 120; (from 60)All works fine now, no need to disable the security tokens
-
Re: Friendly message at possible CSRF attack
26 June 2011 at 12:58am Last edited: 26 June 2011 1:09am
Form.php:
236. if(!$token->checkRequest($request))
237. $this->httpError(400, "Security token doesn't match, possible CSRF attack.");Should at least nbe internationalized...
I did create a 400 ErrorPage in the CMS, but that doesn't work: the default RequestHandler::httpError() function just throws the actual error string, and doesn't retrieve the errorpage, only gives you the white screen... The httpError() function in the ContentController does, but that doesn't work for the Form class class. So I did:
237. $this->controller->httpError(400, "Security token doesn't match, possible CSRF attack.");
That works as long as the controller extends ContentController (Page_controller) which it normally does. If not, you could do this:
237. $response = ErrorPage::response_for(400);
238. throw new SS_HTTPResponse_Exception($response);Simple test: temporarily replace
236. if(!$token->checkRequest($request))
by
236. if(!$token->checkRequest($request) || 1)
All this means hacking
- or extending the Form class... -
Re: Friendly message at possible CSRF attack
26 June 2011 at 4:04am Last edited: 26 June 2011 4:15am
In a custom Form class it's really simple
class MyForm extends Form {
...
public function httpError($code, $message = null) {
$response = ErrorPage::response_for($code);
if (empty($response)) $response = $message;
throw new SS_HTTPResponse_Exception($response);
}
}Will display 400 error page from the CMS...
-
Re: Friendly message at possible CSRF attack
26 June 2011 at 3:29pm
martimiz - agreed, that message should really use the 400 (or whatever code is most relevant) error page from the CMS. Looks like you have got it working together well, do you want to submit the change as a pull request on github. I think it'll be worth getting into core.
-
Re: Friendly message at possible CSRF attack
26 June 2011 at 11:52pm Last edited: 26 June 2011 11:54pm
Willr - yes, I think a pull request would be nice. But I'm not quite sure what should be patched:
1. the RequestHandler::httpError() method,
that doesn't use the ErrorPage (don't know if it should or if there might be other situations where it shouldn't?)2. the actual check in the Form class,
that uses $this->httpError() and not $this->controller->httpError(); (would work only if the Form's controller allways extends ContentController3. an extra Form::httpError() method?
Besides: since errorpages don't actually show the error message, wouldn't it be a good idea to at least show the actual errors on dev mode?
Oh - and I still haven't a clue how to do pull requests... :-[
| 4075 Views | ||
| Go to Top |
