Is there anything that stops a malicious page from deleting/adding taxonomy terms using CSRF?

Comments

the greenman’s picture

the greenman commented

The code is (now) checking $_SERVER['HTTP_REFERER'] to attempt to make sure that we are receiving updates from our actual server.

Thanks for the headsup. We had not quite looked into this in too much detail because an attack would require knowledge of the node and tids owned by the user on our site.

I'll look into better ways to secure against this.

the greenman’s picture

the greenman commented
Status: Active » Fixed

I have now added token based security for updates. A token needs to be submitted with each request, and this is bound to the nid of the effected node.

I dont really think I can make this any better, so will close the issue.

Thanks very much for the heads up.

tjholowaychuk’s picture

tjholowaychuk commented

Does core have js token functionality yet? if not it probably should for cases like this, or a unified Ajax controller

the greenman’s picture

the greenman commented
Version: » 5.x-1.x-dev

I have not yet had the chance to sit down and implement AJAX stuff in detail yet. I designed this so that, when the time came, I could add JS interaction. So, I will have to do some exploring.

hickory’s picture

hickory commented

"Does core have js token functionality yet?"

Tokens for GET requests, avoiding the need for confirmation pages, would be very useful (on 'logout' links, for example).

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.