View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005889 | Composr | core | public | 2024-08-14 12:56 | 2024-08-18 01:03 |
| Reporter | Adam Edington | Assigned To | Patrick Schmalstig | ||
| Severity | Major-bug | ||||
| Status | resolved | Resolution | fixed | ||
| Product Version | 10.0.49 | ||||
| Fixed in Version | 10.0.50 | ||||
| Summary | 0005889: CSRF tokens broken | ||||
| Description | "A POST request was made with a non-recognised security token; this has been blocked as it represents a security threat." This may be due to using backdoor IP, but mentioning in case it's not. | ||||
| Tags | No tags attached. | ||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
| related to | 0005887 | resolved | Patrick Schmalstig | Session cookies should always be HttpOnly / Secure where applicable |
|
|
It has nothing to do with the backdoor. I'll investigate. |
|
|
Automated response: CSRF tokens broken The recent release of 10.0.49 broke CSRF tokens for AJAX requests (such as rating content and changing your password). This is because Composr was using your Session ID cookie as the CSRF token, retrieved via JavaScript. This can no longer be done due to the new strict security (HttpOnly) on session cookies. This patch adds a new hidden input field on every page containing the CSRF token, which can be retrieved via JavaScript, unlike a session cookie. This patch also deprecates the JavaScript function get_session_id() (it now throws a console error). This can no longer be used due to the new cookie security settings. And there are no secure workarounds for this. As a consequence, keep_stub() will NOT include your session via keep_session anymore unless it already exists in the URL. |
|
|
Fixed in git commit 3f778ebf90 (https://gitlab.com/composr-foundation/composr/commit/3f778ebf90 - link will become active once code pushed to GitLab) A hotfix (a TAR of files to upload) has been uploaded to this issue. These files are made to the latest intra-version state (i.e. may roll in earlier fixes too if made to the same files) - so only upload files newer than what you have already. If there are files in a hot-fix that you don't have then they probably relate to addons that you don't have installed and should be skipped. Always take backups of files you are replacing or keep a copy of the manual installer for your version, and only apply fixes you need. These hotfixes are not necessarily reliable or well supported. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/). hotfix-5889, 2024-08-14 6pm.tar (348,160 bytes) |
|
|
NOTE: After applying this patch, you will need to edit all your themes GLOBAL_HTML_WRAP and GLOBAL_HTML_WRAP_* files and add the following to the bottom just before </body>: <input type="hidden" id="g-post-tkn" value="{$CSRF_TOKEN}"> Then clear your template and block caches. If you don't, then you will still get token errors. |
|
|
REVERTED in 10.0.50 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-08-14 12:56 | Adam Edington | New Issue | |
| 2024-08-14 15:13 | Patrick Schmalstig | Note Added: 0009185 | |
| 2024-08-14 18:10 | Patrick Schmalstig | Severity | Minor-bug => Major-bug |
| 2024-08-14 18:10 | Patrick Schmalstig | Summary | Cannot rate content => CSRF tokens broken |
| 2024-08-14 18:44 | Patrick Schmalstig | Note Added: 0009191 | |
| 2024-08-14 18:47 | Patrick Schmalstig | Relationship added | related to 0005887 |
| 2024-08-18 01:03 | Patrick Schmalstig | Note Added: 0009237 |
