ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0016711ClearOSclearos-frameworkpublic2017-08-28 19:492017-09-13 12:09
Reporterbchambers 
Assigned Tobchambers 
PrioritynormalSeverityminorReproducibilitysometimes
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version7.4.0 Beta 1 
Target Version7.4.0 Beta 1Fixed in Version7.4.0 Beta 1 
Summary0016711: Ajax "POST's" cause CSRF 403's
DescriptionPOST.

If user submits a POST form, CSRF will fail.
TagsNo tags attached.
Attached Files

- Relationships
related to 0015311closedpbaldwin Upgrade engine to CodeIgniter 3.1.x 

-  Notes
(0006391)
pbaldwin (administrator)
2017-08-28 21:26

Note: severity set to minor since this a change from the unreleased and unverified 0015311.
(0006401)
bchambers (administrator)
2017-08-29 07:20

Pete,

There's 3 ways we could go with this:

https://stackoverflow.com/questions/41398753/regenerate-crsf-token-codeigniter-on-submit-ajax [^]

1. Messy but secure - get and set the regenerated CSRF and update values in any forms.
2. Easy, but less secure and not scalable - Disable CSRF protection on certain routes (eg. AJAX). However, since these are specified in the framework, app developers are left out of the loop.
3. Easy but least secure - Disable regeneration of CSRF tokens.

I think 2 is out due to scalability issues...doubt you want to go down path 3, so 1 it is???
(0006421)
pbaldwin (administrator)
2017-09-02 15:34

0000003 is fine for the webconfig use case. Note: the CSRF token will be regenerated on every login session.

- Issue History
Date Modified Username Field Change
2017-08-28 19:49 bchambers New Issue
2017-08-28 19:49 bchambers Status new => assigned
2017-08-28 19:49 bchambers Assigned To => bchambers
2017-08-28 21:20 pbaldwin Relationship added duplicate of 0015311
2017-08-28 21:21 pbaldwin Severity major => minor
2017-08-28 21:26 pbaldwin Note Added: 0006391
2017-08-28 21:27 pbaldwin Relationship replaced related to 0015311
2017-08-29 07:20 bchambers Note Added: 0006401
2017-08-31 09:04 pbaldwin Target Version => 7.4.0 Beta 1
2017-09-02 15:30 pbaldwin Category app-marketplace - Marketplace => clearos-framework
2017-09-02 15:34 pbaldwin Note Added: 0006421
2017-09-02 15:35 pbaldwin Status assigned => resolved
2017-09-02 15:35 pbaldwin Fixed in Version => 7.4.0 Beta 1
2017-09-02 15:35 pbaldwin Resolution open => fixed
2017-09-13 12:09 pbaldwin Status resolved => closed