Issue 2551229: Implement CSRF protection for issue.search

classification

Title:	Implement CSRF protection for issue.search
Type:	security	Severity:	normal
Components:	Web interface	Versions:

process

Status:	new	Resolution:
Dependencies		Superseder:
Assigned To:		Nosy List:	rouilj
Priority:	low	Keywords:	Effort-Medium

Created on 2022-08-02 02:54 by rouilj, last changed 2022-08-02 02:54 by rouilj.

Messages
msg7628	Author: [hidden] (rouilj)	Date: 2022-08-02 02:54
As I was debugging my changes to add redis support for session and otks databases, I noticed that the issue.search page does not request a CSRF token. It also uses GET for it's submission mode. This makes sense in most cases as it doesn't change any issue data. However because we name the search and save it to the search list, it does modify data. So this should have CSRF protection if the change is to be saved/committed. I think this is a low priority. I am not sure how it could be used to do much of anything other than mess with a user's searches. Using GET for searches (so we can bookmark and share them) already provides the same exposure this does to issue data.

msg7628

Author: [hidden] (rouilj)

Date: 2022-08-02 02:54

As I was debugging my changes to add redis support for session and otks
databases, I noticed that the issue.search page does not request a CSRF token.

It also uses GET for it's submission mode.

This makes sense in most cases as it doesn't change any issue data. However
because we name the search and save it to the search list, it does modify data.

So this should have CSRF protection if the change is to be saved/committed.

I think this is a low priority. I am not sure how it could be used to do much
of anything other than mess with a user's searches. Using GET for searches (so we
can bookmark and share them) already provides the same exposure this does to issue
data.

History
Date	User	Action	Args
2022-08-02 02:54:07	rouilj	create

Roundup Tracker - Issues

Issue 2551229