Fix CSRF validation for remotecontrol API route #3599
Conversation
| @@ -156,7 +156,7 @@ | |||
| 'noCsrfValidationParams' => array(), | |||
| 'noCsrfValidationRoutes' => array( | |||
| 'rest', | |||
| 'remotecontrol', | |||
There was a problem hiding this comment.
It feels like a breaking change to expect users to update this if they have overridden this in their config, so I wonder if the maintainers feel strongly about relaxing the regex in application/core/LSHttpRequest.php instead.
There was a problem hiding this comment.
surely if a user override this, they extend the array, not replace it
There was a problem hiding this comment.
It feels like a breaking change to expect users to update this if they have overridden this in their config, so I wonder if the maintainers feel strongly about relaxing the regex in
application/core/LSHttpRequest.phpinstead.
The commit was done to be sure to allow only needed route :). Relaxing : less CRSF control. I think we must keep current regexp.
There was a problem hiding this comment.
yeah I agree, it needs to stay as the more restrictive regexp
the issue before is that routes that match a portion of the routes exempted from csrf checking would also be exempt
ie
- rest/v1/session
- admin/menus/sa/restore
both are exempted because they contain "rest" anywhere
this is definitely not desirable for security
edgarrmondragon
changed the title
* test: Fix test against Limesurvey `master` branch * Cache docker * Revert "Cache docker" This reverts commit 833fb94. * Try a different commit * Fix RC route * Remove redundant case * Add TODO See LimeSurvey/LimeSurvey#3599
|
i don't think this is sufficient to fix the regression, please see my note: https://bugs.limesurvey.org/view.php?id=19220 |
I think it's OK here, why not sufficient ? |
|
only fix get, not path routing |
edgarrmondragon
force-pushed
the
fix/noCsrfValidationRoutes-remotecontrol
branch
from
22ffba6
to
d4b0490
Compare
okay remote control works now using get and path routing weird to note that /admin/remotecontrol -> /admin/remotecontrol but /rest/v1/session -> rest/v1/session if it was the same then you would just have needed to fix remotecontrol -> admin/remotecontrol and no need to worry about the leading slash |
It must be done on route, no dependant on path or get , then fix this part : LimeSurvey/application/core/LSHttpRequest.php Line 158 in 70b0989 It seems OK : https://www.yiiframework.com/doc/api/1.1/CUrlManager#parseUrl-detail
Fix BOTH routing |
Strange ? Seems parseUrl function is broken ? In my opinon: route for And route It's not the case ? (then maybe best is to extend it : |
|
The offedning PR was reverted. |
|
I will be working on this. Probbly on a new PR with a proper name |
|
@gabrieljenik gotcha. Feel free to close this. |
Fixes an error introduced in #3588. The changes made the remote control route,
admin/remotecontrol, no longer skip CSRF validation.I can report the bug in https://bugs.limesurvey.org, but this error is present only in the
masterbranch and I thought it quicker to send a PR.Fixed issue #19220