-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[4.3] Use CSRF only for the site's domain #39580
Conversation
The last commit aligns the code with the jQuery proven code: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#jquery |
@Fedik can you review this one? |
I think #39343 will be better, because it gives you more controll over the code. (and I would prefer to avoid use of |
hmhm, or can we combine both PRs? When |
Ehm, that PR is not actually solving the leak if the devs won't explicitly use the new option. BTW devs could still push whatever they want with a custom header (it will override as it happens later): Joomla.request({
method: 'POST',
url: 'https://www.joomla.org/administrator/index.php?option=com_config&task=application.sendtestmail&format=json',
headers: {'X-CSRF-Token': Joomla.getOptions('csrf.token', '')} // Manually force sending the CSRF on a foreign domain NOT SAFE!!!!
});
Done
Done @Fedik any better now? |
7c808b0
to
ea502c0
Compare
ea502c0
to
6dff14f
Compare
Yeap, looks better now, and much more clean :)
btw, is part of Window object, window.location.origin, or in |
dc5ee9a
to
5cb5e38
Compare
if we get 2 tests we can merge this @SniperSister can you please have a look as jsst ? |
I have tested this item ✅ successfully on 5cb5e38 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39580. |
I have tested this item ✅ successfully on 5cb5e38 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39580. |
RTC This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39580. |
Makes perfect sense, fine for me! |
Thank you Dimitris @dgrammatiko for this PR! |
See #39969 suspect we might need to head back to the original patch |
Honestly the project should deprecate the Joomla.request and transition to fetch (without any magic wrapper). FWIW if the patch doesn't cover all the case then just do complete revert of this 🤷♂️ |
I mean we'd still need to document all this stuff in CSRF tokens anyhow. Not really sure doing that fixes anything in respect of this (totally understand fetch is better than the xhr stuff we're wrapping and don't dispute moving to that makes a huge amount of sense) |
Yes, this is crucial to be communicated properly as the leaking of CSRF could easily lead to a complete compromise of the site.
Actually, this bug reveals one more thing that is done awfully wrong in the XHR wrapper and also in the server side response. The XHR response on either the onSuccess or the onError should should be checked that is ok (ie the request asked for JSON and the response is not) also the response from the server should NOT be a 200 but something like 4XX or 5XX. Anyways what I was actually proposing was the immediate deprecation of the |
Pull Request is alternative to #39343
Summary of Changes
Joomla.request
ONLY for the site's domainheaders: {'X-CSRF-Token': Joomla.getOptions('csrf.token', '')}
Testing Instructions
/administrator/index.php?option=com_config
and try to send a test mail, it should work (assuming your test site is properly set the mail server)refresh the page and run click on the send test mail again, observe the request (in the browser console) that has the x-csrf
refresh the page and run click on the send test mail again, observe the request (in the browser console) that has the x-csrf
refresh the page and run click on the send test mail again, observe the request (in the browser console) that has the x-csrf
Actual result BEFORE applying this Pull Request
CSRF send to all domains
Expected result AFTER applying this Pull Request
CSRF is only for local use
Link to documentations
Please select:
Documentation link for docs.joomla.org:
No documentation changes for docs.joomla.org needed
Pull Request link for manual.joomla.org:
No documentation changes for manual.joomla.org needed