Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

All other Modules /

Discuss all other Modules here.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Friendly message at possible CSRF attack


Go to End
Reply


14 Posts   7665 Views

Avatar
JonoM

Community Member, 103 Posts

13 May 2011 at 5:37pm

Thanks Willr!

Avatar
CHD

Community Member, 218 Posts

14 June 2011 at 5:57am

was having this problem too with a "file upload" area using "user forms"

with small files, all fine.
larger files caused CSRF ATTACK message.

updated the php.ini settings with:
upload_max_filesize = 20M TO upload_max_filesize = 50M
post_max_size = 20M TO post_max_size = 50M

ALSO

max_input_time = 120; (from 60)
max_execution_time = 120; (from 60)

All works fine now, no need to disable the security tokens

Avatar
martimiz

Forum Moderator, 1132 Posts

26 June 2011 at 12:58am

Edited: 26/06/2011 1:09am

Form.php:

236. if(!$token->checkRequest($request))
237.    $this->httpError(400, "Security token doesn't match, possible CSRF attack.");

Should at least nbe internationalized...

I did create a 400 ErrorPage in the CMS, but that doesn't work: the default RequestHandler::httpError() function just throws the actual error string, and doesn't retrieve the errorpage, only gives you the white screen... The httpError() function in the ContentController does, but that doesn't work for the Form class class. So I did:

237.    $this->controller->httpError(400, "Security token doesn't match, possible CSRF attack.");

That works as long as the controller extends ContentController (Page_controller) which it normally does. If not, you could do this:

237.    $response = ErrorPage::response_for(400);
238.    throw new SS_HTTPResponse_Exception($response);

Simple test: temporarily replace

236. if(!$token->checkRequest($request))

by

236. if(!$token->checkRequest($request) || 1)

All this means hacking :-( - or extending the Form class...

Avatar
martimiz

Forum Moderator, 1132 Posts

26 June 2011 at 4:04am

Edited: 26/06/2011 4:15am

In a custom Form class it's really simple :-)

class MyForm extends Form {

   ...

   public function httpError($code, $message = null) {
      $response = ErrorPage::response_for($code);
      if (empty($response)) $response = $message;
      throw new SS_HTTPResponse_Exception($response);
   }
}

Will display 400 error page from the CMS...

Avatar
Willr

Forum Moderator, 5513 Posts

26 June 2011 at 3:29pm

martimiz - agreed, that message should really use the 400 (or whatever code is most relevant) error page from the CMS. Looks like you have got it working together well, do you want to submit the change as a pull request on github. I think it'll be worth getting into core.

Avatar
martimiz

Forum Moderator, 1132 Posts

26 June 2011 at 11:52pm

Edited: 26/06/2011 11:54pm

Willr - yes, I think a pull request would be nice. But I'm not quite sure what should be patched:

1. the RequestHandler::httpError() method,
that doesn't use the ErrorPage (don't know if it should or if there might be other situations where it shouldn't?)

2. the actual check in the Form class,
that uses $this->httpError() and not $this->controller->httpError(); (would work only if the Form's controller allways extends ContentController

3. an extra Form::httpError() method?

Besides: since errorpages don't actually show the error message, wouldn't it be a good idea to at least show the actual errors on dev mode?

Oh - and I still haven't a clue how to do pull requests...    :-[

Go to Top