CSRF protection
hickory - July 14, 2008 - 15:02
| Project: | Taxonomy API and REST interface |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
Is there anything that stops a malicious page from deleting/adding taxonomy terms using CSRF?
#1
The code is (now) checking $_SERVER['HTTP_REFERER'] to attempt to make sure that we are receiving updates from our actual server.
Thanks for the headsup. We had not quite looked into this in too much detail because an attack would require knowledge of the node and tids owned by the user on our site.
I'll look into better ways to secure against this.
#2
I have now added token based security for updates. A token needs to be submitted with each request, and this is bound to the nid of the effected node.
I dont really think I can make this any better, so will close the issue.
Thanks very much for the heads up.
#3
Does core have js token functionality yet? if not it probably should for cases like this, or a unified Ajax controller
#4
I have not yet had the chance to sit down and implement AJAX stuff in detail yet. I designed this so that, when the time came, I could add JS interaction. So, I will have to do some exploring.
#5
"Does core have js token functionality yet?"
Tokens for GET requests, avoiding the need for confirmation pages, would be very useful (on 'logout' links, for example).
#6
Automatically closed -- issue fixed for two weeks with no activity.