-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Public archives not available with sympa-6.2.38 #527
Comments
Hi @pascalmaes, Could you please tell us these things?
Thanks. |
I have try with Safari, Firefox, Google Chrome on macOS and with Firefox on Windows I know the URL : https://sympa-test.sipr.ucl.ac.be/sympa/arc/test-4/2019-01/ |
@pascalmaes, I think it's a bug. Can you do either one of below?
|
The line web_archive_spam_protection has been added to /etc/sympa/sympa.conf I take a look to the config file and I see
and I have an error message in sympa.log
I modified the access to private and then again to public. Now I have
and the access is OK for anybody For email address protection method (web_archive_spam_protection)(default), I have
I'm still unable to see the source scenario of the archive web access The buttons "source scenario" are working in "List Definition", "Sending/receiving setup", "Privileges" except for the shared_doc part ; not working in "Archives" and "Bounces". and the error messages are
|
Broken I'll investigate problem on Thanks for reporting bug in detail! |
I tested this with 6.2.38 and I can reproduce the problem with |
My apologies, folks. We observed this in our logs after our 6.2.38 upgrade just today. I just love running into really pretty obvious cases that were not tested before rolling out into production. This one I believe is my doing. The sequence seems to be
Our tests this afternoon show that removing
Now, Looking at |
This also broken: |
Seems like the same mechanism: GET request -> trigger confirm_action > fails due to lack of CSRF token. I put |
@mpkut, sorry for crossing comment. I think the measure with POST request should be left, like:
|
Hello @ikedas, That would certainly allow all GET-based requests to operate as in previous versions. Is there any risk of a GET-based way to supply the necessary action arguments to do something that the POST-based CSRF code would prevent? |
Indeed, attackers can throw anything in by GET requests. What we can do at the next step is to prevent unneccessary GET requests. |
GET requests should not be used to change data in the system etc. So if these exists, I suggest to turn them into POST requests. Further reading: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Resources_that_need_to_be_protected_from_CSRF_vulnerability |
Further review suggests that the simple patch of removing the |
New release closing this issue is come in this Saturday. Thanks for reporting, investigating and fixing! |
A user not logged in can't see the archive of a list with a public web access
ERROR (confirm_action) - Authorization rejected. Maybe you forgot to log in?
Version
6.2.38
Installation method
From source on a virgin system (the previous installation of sympa has been deleted).
Everything as default.
Expected behavior
The archive should be readable
Actual behavior
ERROR (confirm_action) - Authorization rejected. Maybe you forgot to log in?
In sympa.log
Jan 12 11:20:04 sympa-test wwsympa[30577]: info main::do_arc(2019-01, /) [robot listes] [session 95681996162673] [client y] [list test-4]
Jan 12 11:20:04 sympa-test wwsympa[30577]: info main::check_action_parameters() [robot listes] [session 95681996162673] [client y] [list test-4] CSRF token mismatch: in="" session="aaad607574282c8ea3a865514c3ba433"
In sympa.err
Jan 12 11:20:04 sympa-test wwsympa[30577]: err main::#1557 [robot listes] [session 95681996162673] [client y] Missing required parameters for action "confirm_action"
Additional information
When logged as listmaster, I can't see the scenario source of "access right (web_access)"
INTERNAL SERVER ERROR (dump_scenario) -
In sympa.err
Jan 12 11:15:32 sympa-test.sipr.ucl.ac.be wwsympa[30577]: err main::#1572 > main::do_dump_scenario#15942 > Sympa::Scenario::new#77 Missing parameter
The text was updated successfully, but these errors were encountered: