Hi, May I ask if the compile problem has been solved? We have encountered the same problem such that the build reports the same error when SSL is of 1.1.1. It is fine when SSL is 1.0.2. Thanks.
Hi, I can deploy mod-csrf using below command on RHEL7. RHEL7 has SSL version 1.0.2. sudo apxs -i -c mod_csrf.c -lcrypto Now When I tried to deploy it on RHEL 8, It failed with below error. RHEL8 has SSL version 1.1.1k. Error: mod_csrf.c:449:18: warning: unused variable ‘cipher_ctx’ [-Wunused-variable] mod_csrf.c: In function ‘csrf_enc64’: mod_csrf.c:502:18: error: storage size of ‘cipher_ctx’ isn’t known EVP_CIPHER_CTX cipher_ctx; Could you please provide fix for this issue in new package? Than...
EVP_CIPHER_CTX_cleanup
After installing mod_csrf, POST works. I can see csrfId=... injected in the POST traffic. But when I tested GET, typing "xyz.com/test.php" into the browser, I can get the expected output (and 200 ok). while typing "xyz.com/test.php?q=yes", (parameter q is not doing anything), I am getting 403 forbidden. After observing the csrfId value in the POST traffic, if I manually append csrfId=... : "xyz.com/test.php?q=yes&csrfId=...", then I can get the expected output as if I did "xyz.com/test.php" (and...
Thanks Pascal. That worked.
Installing the "openssl-devel" package will probably sove the problem.
Hi, I am getting below error while building the code. Has anyone built the module successfully? [root apache2]# apxs -i -c mod_csrf.c -lcrypto /usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wformat-security -fno-strict-aliasing -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/httpd -I/usr/include/apr-1 -I/usr/include/apr-1 -c -o mod_csrf.lo mod_csrf.c...
When testing the module, I use the Apache standard modules, three optional Apache...
mod_csrf forces Apache to used chunked encoding by default (as the module is going...
additional test data
I've uploaded version 0.9 of mod_csrf which includes a fix to flush the remaining...
fix: flush remaining buffer if response body pa...
fix: flush remaining buffer if response body pa...
add json test script (correct content type)
Thank you for sharing your findings. mod_csrf should "process" HTML responses only,...
I'm using the Apache module called mod_csrf for preventing cross site request forgery....
I'm using the Apache module called mod_csrf for preventing cross site request forgery....
new id enc
new id enc
propagate env
REMOTE_PORT
REMOTE_PORT, use apr_itoa
REMOTE_PORT
href
typo
CSRF_ENFORCE, GET, rel. referer
ignore GET only
CSRF_ENFORCE and excl. for GET only
accepts relative referer header URI
adds message text to mod_csrf(021)
adds message text to mod_csrf(021) (referer hea...
Hi Fabrizio mod_csrf(021): is the referer header check which failes. "id" would be...
Hi everyone. I am trying to use mod_crsf on a Docker instance based on Alpine linux....
determine host name (server_hostname never cont...
add sample html pages to doc
more headers/(relevant bits)
first release, header sequence id
test empty var
0.1
mod_fp, FP_HeaderOrder
add stub (empty mod_fp)
remove generated file from repo
Hi, Since some of my pages doesn't get injected by mod_csrf by itself. I plan to...
add exclusion test
It worked ! The csrf tokens are now being injected. However, I'm finding it weird...
doc changes
you may use the csrf.js script which is included in the mod_csrf tarball
I see. Thank you for you reply. Can I ask where I can find the Javascript code? is...
The file and the CSRF_ScriptPath is all configured but nothing is injected. Also,...
You need to install the not only the module but also the JavaScript file and make...
You need to install the JavaScript on your server and the CSRF_ScriptPath must point...
Hi It is not clear to me how to use the csrfInsert function. Apparently I have to...
Hi, After I installed mod_csrf and also mod_parp, I'm getting 403 Forbidden on my...
style attribute
autocomplete off
Hi, I extended the types array and it is injecting fine on first execution: var types...
Hi, I extended the types array and it is injecting fine on first execution: var types...
Hi, I extended the types array and it is injecting fine on first execution: var types...
Hi, I extended the types array and it is injecting fine on first execution: var types...
OK, I didn't understood how the module is working neither the whole csrf mecanism....
The ID is not stored anywhere. The idea of mod_csrf is to add the ID at client side...
Let me first make a correction. The guy I was working with didn't realize the default...
We have found that the module is causing some extraneous characters printed in the...
We have found that the module is causing some extraneous characters printed in the...
Hello, I am trying to add the csrfpId to the URLs of my web-app with a rewrite-rule...
Thanks for the head up. I'll see about registering the script in the iframe and leveraging...
First: The injected script is only executed when loading the HTML page (same within...
As I'm slowly starting to understand what's going on, I made this addition: function...
I can't imagine why this happens...
bugfix release
wrong struct in dir config
wrong struct in dir config
I am having trouble using the mod with ajax calls, the firebug console says: SyntaxError:...
Thanks for your previous help. I'm running into another issue. In our code we have...
I have managed to get my configuration going though I have another, new issue. I'll...
yes, this is what we are doing now as a workaround: rewrite the request to the specific...
The usage of mod_parp is highly recommended in order to support HTML forms (where...
The usage of mod_parp is highly recommended in order to support HTML forms (where...
I am rather not skilled in doing anything with apache, yet have been charged with...
I guess Apache does an internal redirect to "/index.php" when accessing "/" and mod_csrf...
I am trying the module with a redhat 6.5 and it is not adding the JS when I use https://www.myhost.com...
the source of the project is pointing to a test-module. I already downloaded the...
using js to handle post req/body data
js
no no-cache
handles POST using html/js page
snapshot, html/js