Roundup Tracker - Issues

Issue 2551229

Implement CSRF protection for
Type: security Severity: normal
Components: Web interface Versions:
Status: new
: : rouilj
Priority: low : Effort-Medium

Created on 2022-08-02 02:54 by rouilj, last changed 2022-08-02 02:54 by rouilj.

msg7628 Author: [hidden] (rouilj) Date: 2022-08-02 02:54
As I was debugging my changes to add redis support for session and otks
databases, I noticed that the page does not request a CSRF token.

It also uses GET for it's submission mode.

This makes sense in most cases as it doesn't change any issue data. However
because we name the search and save it to the search list, it does modify data.

So this should have CSRF protection if the change is to be saved/committed.

I think this is a low priority. I am not sure how it could be used to do much
of anything other than mess with a user's searches. Using GET for searches (so we
can bookmark and share them) already provides the same exposure this does to issue
Date User Action Args
2022-08-02 02:54:07rouiljcreate