Message4246
Roundup's web interface checks that requests modifying the database come
via HTTP POST. This is not sufficient protection against cross-site
request forgery attacks; a user's browser can easily be induced by a
hostile site to send an arbitrary POST request, through Javascript or
otherwise.
In addition to the POST check, all those actions checking for POST
should also check for a secret token in a hidden form field, linked in
the database to the session ID. (Because of incompatibility with
existing templates it may not be possible to do this unconditionally,
but I think security against CSRF should be the default.)
The POST check is still useful, as it makes it unlikely for the secret
token to appear in URLs (since it wouldn't work there) and URLs are
liable to leak (in Referers etc.). It's useful for the secret token to
be a separate random token rather than a copy of the session ID, so that
if the contents of a form are leaked (e.g. if the user sends of copy of
the page to someone) that doesn't by itself enable impersonating the user. |
|
Date |
User |
Action |
Args |
2011-02-22 20:15:53 | joseph_myers | set | recipients:
+ joseph_myers |
2011-02-22 20:15:53 | joseph_myers | set | messageid: <1298405753.8.0.247936330488.issue2550690@psf.upfronthosting.co.za> |
2011-02-22 20:15:53 | joseph_myers | link | issue2550690 messages |
2011-02-22 20:15:53 | joseph_myers | create | |
|