Thread: [Cppcms-users] Suggestion: warn if csrf enabled but missing

Brought to you by: artyom-beilis

cppcms-users

[Cppcms-users] Suggestion: warn if csrf enabled but missing

From: <ele...@ex...> - 2012-04-26 02:47:56

Hi,

This is just a suggestion -

I just spent about 20 minutes trying to figure out why I get forbidden
error(302) while trying to load context() into a rather complex form. And
I completely forgot about adding <% csrf %> to the form.

It would be great if a warning was logged that csrf is enabled but token
is missing.

Thanks,
Petr

Re: [Cppcms-users] Suggestion: warn if csrf enabled but missing

From: Artyom B. <art...@ya...> - 2012-04-26 14:59:34

Such feature would require parsing HTML and it may be not even possible
when for example form is rendered from different locations.

I thought about it, even thought how to automatize the process
but it does not seems to be feasible.


Also note, if the form update fails you should see a notice
about it in logs.
 
Artyom Beilis
--------------
CppCMS - C++ Web Framework:   http://cppcms.com/
CppDB - C++ SQL Connectivity: http://cppcms.com/sql/cppdb/



----- Original Message -----
> From: "ele...@ex..." <ele...@ex...>
> To: cpp...@li...
> Cc: 
> Sent: Thursday, April 26, 2012 5:47 AM
> Subject: [Cppcms-users] Suggestion: warn if csrf enabled but missing
> 
> Hi,
> 
> This is just a suggestion -
> 
> I just spent about 20 minutes trying to figure out why I get forbidden
> error(302) while trying to load context() into a rather complex form. And
> I completely forgot about adding <% csrf %> to the form.
> 
> It would be great if a warning was logged that csrf is enabled but token
> is missing.
> 
> Thanks,
> Petr
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Cppcms-users mailing list
> Cpp...@li...
> https://lists.sourceforge.net/lists/listinfo/cppcms-users
>

Re: [Cppcms-users] Suggestion: warn if csrf enabled but missing

From: <ele...@ex...> - 2012-04-26 22:37:15

Cant you use request().getenv("HTTP_X_CSRFTOKEN"), in combination with
session_interface::validate_csrf_token() for checking presence?

> Also note, if the form update fails you should see a notice
> about it in logs.

Do you mean the "CSRF Validation Failed" message?

Re: [Cppcms-users] Suggestion: warn if csrf enabled but missing

From: Artyom B. <art...@ya...> - 2012-04-27 06:16:00


----- Original Message -----
> From: "ele...@ex..." <ele...@ex...>
> Cant you use request().getenv("HTTP_X_CSRFTOKEN"), in combination with
> session_interface::validate_csrf_token() for checking presence?
>

validate_csrf_token uses getenv as one of the options.

I don't see the point? How would it help.

>>  Also note, if the form update fails you should see a notice
>>  about it in logs.
> 
> Do you mean the "CSRF Validation Failed" message?
> 

The message is written as warning to logs:

cppcms, warning: CSRF validation failed IP=XXX SCRIPT_NAME=/yyy PATH_INFO=/zzz (session_interface.cpp:120)

Make sure that logging.level is set to at least warnings level, by default only errors
are written.

See:  http://cppcms.com/wikipp/en/page/cppcms_1x_config#logging.level
 
Artyom Beilis
--------------
CppCMS - C++ Web Framework:   http://cppcms.com/
CppDB - C++ SQL Connectivity: http://cppcms.com/sql/cppdb/