Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

All other Modules

Discuss all other Modules here.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Friendly message at possible CSRF attack


14 Posts   7234 Views


13 May 2011 at 5:37pm Community Member, 103 Posts

Thanks Willr!


14 June 2011 at 5:57am Community Member, 218 Posts

was having this problem too with a "file upload" area using "user forms"

with small files, all fine.
larger files caused CSRF ATTACK message.

updated the php.ini settings with:
upload_max_filesize = 20M TO upload_max_filesize = 50M
post_max_size = 20M TO post_max_size = 50M


max_input_time = 120; (from 60)
max_execution_time = 120; (from 60)

All works fine now, no need to disable the security tokens


26 June 2011 at 12:58am (Last edited: 26 June 2011 1:09am), Forum Moderator, 1095 Posts


236. if(!$token->checkRequest($request))
237.    $this->httpError(400, "Security token doesn't match, possible CSRF attack.");

Should at least nbe internationalized...

I did create a 400 ErrorPage in the CMS, but that doesn't work: the default RequestHandler::httpError() function just throws the actual error string, and doesn't retrieve the errorpage, only gives you the white screen... The httpError() function in the ContentController does, but that doesn't work for the Form class class. So I did:

237.    $this->controller->httpError(400, "Security token doesn't match, possible CSRF attack.");

That works as long as the controller extends ContentController (Page_controller) which it normally does. If not, you could do this:

237.    $response = ErrorPage::response_for(400);
238.    throw new SS_HTTPResponse_Exception($response);

Simple test: temporarily replace

236. if(!$token->checkRequest($request))


236. if(!$token->checkRequest($request) || 1)

All this means hacking :-( - or extending the Form class...


26 June 2011 at 4:04am (Last edited: 26 June 2011 4:15am), Forum Moderator, 1095 Posts

In a custom Form class it's really simple :-)

class MyForm extends Form {


   public function httpError($code, $message = null) {
      $response = ErrorPage::response_for($code);
      if (empty($response)) $response = $message;
      throw new SS_HTTPResponse_Exception($response);

Will display 400 error page from the CMS...


26 June 2011 at 3:29pm Forum Moderator, 5511 Posts

martimiz - agreed, that message should really use the 400 (or whatever code is most relevant) error page from the CMS. Looks like you have got it working together well, do you want to submit the change as a pull request on github. I think it'll be worth getting into core.


26 June 2011 at 11:52pm (Last edited: 26 June 2011 11:54pm), Forum Moderator, 1095 Posts

Willr - yes, I think a pull request would be nice. But I'm not quite sure what should be patched:

1. the RequestHandler::httpError() method,
that doesn't use the ErrorPage (don't know if it should or if there might be other situations where it shouldn't?)

2. the actual check in the Form class,
that uses $this->httpError() and not $this->controller->httpError(); (would work only if the Form's controller allways extends ContentController

3. an extra Form::httpError() method?

Besides: since errorpages don't actually show the error message, wouldn't it be a good idea to at least show the actual errors on dev mode?

Oh - and I still haven't a clue how to do pull requests...    :-[