Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add token to prevent CSRF. #492

Merged
merged 1 commit into from
Dec 7, 2018
Merged

Conversation

racke
Copy link
Contributor

@racke racke commented Dec 5, 2018

This is a slightly adjusted version of the CSRF patch provided by @mpkut. I tested in my working copy over the weekend and I didn't run into a regression. This is scheduled to be part of the next beta release, as agreed with @ikedas.

@ikedas
Copy link
Member

ikedas commented Dec 5, 2018

@mpkut & @racke, thanks much for enhancement & testing!

  • renewpasswd.tt2 does not have csrftoken field. Is this intended? (I guess this does not matter anyway.)
  • I realized that users may have to update many web templates they have customized, and I prepared additional changes to avoid updating templates. Is this useful?

@mpkut
Copy link
Contributor

mpkut commented Dec 5, 2018

Hello @ikedas,

  • You're right, renewpasswd.tt2 does not really need a csrftoken field because it does not employ the authorized user's session to make any state changes.
  • Your additional changes are a much more airtight and maintainable solution to the question of how to consistently supply the token. I had been concerned about adding another field to all of those forms, but simply did not have the imagination to realize that your approach was a possibility.

Thanks to you and Racke for your review and helping arrive at a well-formed solution to this concern!

@racke
Copy link
Contributor Author

racke commented Dec 5, 2018

Your approach sounds good to me, @ikedas

@ikedas
Copy link
Member

ikedas commented Dec 6, 2018

ok. I submitted #493. It may be merged in beta.3 or 6.2.38.

@racke racke merged commit a47ff9e into sympa-community:sympa-6.2 Dec 7, 2018
racke added a commit that referenced this pull request Dec 7, 2018
@racke racke deleted the pr/csrftoken branch February 18, 2020 16:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants