Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF directory needs to be writeable for creating the csrf-secret.php file #5194

Closed
thurban opened this issue Jan 26, 2023 · 2 comments
Closed

CSRF directory needs to be writeable for creating the csrf-secret.php file #5194

thurban opened this issue Jan 26, 2023 · 2 comments
Assignees
@TheWitness
Labels
bug Undesired behaviour confirmed Bug is confirm by dev team resolved A fixed issue
Milestone
v1.2.24

Comments

@thurban
Copy link
Contributor

thurban commented Jan 26, 2023
edited

Describe the bug

During the installation the installer tells you to make the CSRF path read-only after the installation finished. It does not tell where it is or provide an example for how to set the write permissions.
The installation completes regardless of the setting but it causes a lot of permission error logging in the cacti log.

Also the csrf-secret.php file can be access directly, exposing the secret to the web. It should be hidden and not returning the plain secret.

To Reproduce

Install a fresh Cacti

Expected behavior

Either show example commands or move the csfr-secret.php somewhere where it can be written/created.

Screenshots

grafik
grafik

Desktop (please complete the following information)

  • OS: [e.g. iOS]

  • Browser [e.g. chrome, safari]

  • Version [e.g. 22]

Smartphone (please complete the following information)

  • Device: [e.g. iPhone6]

  • OS: [e.g. iOS8.1]

  • Browser [e.g. stock browser, safari]

  • Version [e.g. 22]

Additional context

Add any other context about the problem here.
@thurban thurban added bug Undesired behaviour unverified Some days we don't have a clue labels Jan 26, 2023
@TheWitness
Copy link
Member

@netniV, assigned this to you. I think at least in the example we should show the vendor directory, without much explanation as a directory that only requires write for install. This is a one line change. We can do something glorious (aka different) in 1.3.

@TheWitness TheWitness added confirmed Bug is confirm by dev team and removed unverified Some days we don't have a clue labels Feb 5, 2023
@TheWitness TheWitness assigned TheWitness and unassigned netniV Feb 5, 2023
@TheWitness
Copy link
Member

Changing the assignment here since we have a little more time before release.

@TheWitness TheWitness added the porting required Requires porting to develop label Feb 5, 2023
TheWitness added a commit that referenced this issue Feb 5, 2023
@TheWitness
Fixing #5194 - CSRF Read/Write
f5a54a2 
CSRF directory needs to be writeable for creating the csrf-secret.php file
@TheWitness TheWitness added the resolved A fixed issue label Feb 5, 2023
@TheWitness TheWitness added this to the v1.2.24 milestone Feb 5, 2023
@TheWitness TheWitness removed the porting required Requires porting to develop label Feb 20, 2023
@TheWitness TheWitness mentioned this issue Feb 20, 2023
Merged
@github-actions github-actions bot locked and limited conversation to collaborators May 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@TheWitness TheWitness

Labels
bug Undesired behaviour confirmed Bug is confirm by dev team resolved A fixed issue
Projects
None yet
Milestone
v1.2.24
Development

No branches or pull requests
3 participants
@TheWitness @netniV @thurban