Fork me on GitHub
Subscribe 6

Ticket #309 (open enhancement)

Add CSRF tokens

  • Created: 2011-02-22 13:25:03
  • Reported by: Reines
  • Assigned to: None
  • Milestone: 2.0-alpha5
  • Component: security
  • Priority: normal

Instead of checking the referer all forms should make sure of CSRF tokens. This should apply for both users and administrators.


Franz 2011-02-22 22:58:02

  • Type changed from enhancement to task.

Reines 2011-02-22 23:54:03

  • Type changed from task to enhancement.

That's not a task - it's a security enhancement. Tasks are only things like updating documentation/comments/tidying.

Franz 2011-02-22 23:57:50

Fine wink

I was thinking of them as big implementation tasks, too.

Franz 2011-02-22 23:58:21

Refactoring in general in most cases.

Visman 2011-02-23 02:58:53

I use such functions

// Make sure that HTTP_REFERER matches base_url/script
function confirm_referrer($script, $error_msg = false)
    global $pun_config, $lang_common, $pun_user;

    if (isset($_POST['csrf_hash']))
        $hash = $_POST['csrf_hash'];
    else if (isset($_GET['csrf_hash']))
        $hash = $_GET['csrf_hash'];
        message($error_msg ? $error_msg : $lang_common['Bad referrer']);

    preg_match('/^(https?\:\/\/)(www\.)?(.*)$/i', $pun_config['o_base_url'], $regs);
    $script = $regs[3].'/'.$script.get_remote_address();
    $new_hash = pun_hash($script.$pun_user['username']);

    if ($new_hash != $hash)
        message($error_msg ? $error_msg : $lang_common['Bad referrer']);

function csrf_hash()
    global $pun_user;

    preg_match('/^(www\.)?(.*)$/i', $_SERVER['HTTP_HOST'], $regs);
    $script = $regs[2].$_SERVER['SCRIPT_NAME'].get_remote_address();

    return pun_hash($script.$pun_user['username']);

Reines 2011-02-25 00:47:17

  • Milestone changed from 2.0-beta1 to 2.0-alpha5.

Franz 2013-01-16 12:02:02

This is super simple with Laravel, so consider this ticket as making sure all forms (and other relevant requests, like logoff and maybe AJAX stuff!?) contain tokens.

Studio384 2015-09-29 07:36:52

This is related to #1049, no?

adaur 2015-09-30 19:26:47

We should have added these earlier. But it would be too much for the 1.5.x branch, adding tokens everywhere...

Visman 2015-11-06 04:01:16

Why you created one more system for check if it was possible to finish confirm_referrer()? … 8e61183ca8

Now we will have two systems of check of authenticity. It's "cool".

adaur 2015-11-06 08:42:04

Because of an issue you can't see - yet smile

chris98 2015-11-06 14:09:44

Is that ticket #1043 then? I can't view that ticket for some reason, I get a 404. I saw you committing stuff for it yesterday, so AFAIK it does exist.

Studio384 2015-11-06 17:22:52

You can't see #1043 because it is a private ticket.