-
Notifications
You must be signed in to change notification settings - Fork 987
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix CSRF validation for remotecontrol API route #3599
Fix CSRF validation for remotecontrol API route #3599
Conversation
@@ -156,7 +156,7 @@ | |||
'noCsrfValidationParams' => array(), | |||
'noCsrfValidationRoutes' => array( | |||
'rest', | |||
'remotecontrol', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It feels like a breaking change to expect users to update this if they have overridden this in their config, so I wonder if the maintainers feel strongly about relaxing the regex in application/core/LSHttpRequest.php
instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
surely if a user override this, they extend the array, not replace it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It feels like a breaking change to expect users to update this if they have overridden this in their config, so I wonder if the maintainers feel strongly about relaxing the regex in
application/core/LSHttpRequest.php
instead.
The commit was done to be sure to allow only needed route :). Relaxing : less CRSF control. I think we must keep current regexp.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah I agree, it needs to stay as the more restrictive regexp
the issue before is that routes that match a portion of the routes exempted from csrf checking would also be exempt
ie
- rest/v1/session
- admin/menus/sa/restore
both are exempted because they contain "rest" anywhere
this is definitely not desirable for security
* test: Fix test against Limesurvey `master` branch * Cache docker * Revert "Cache docker" This reverts commit 833fb94. * Try a different commit * Fix RC route * Remove redundant case * Add TODO See LimeSurvey/LimeSurvey#3599
i don't think this is sufficient to fix the regression, please see my note: https://bugs.limesurvey.org/view.php?id=19220 |
I think it's OK here, why not sufficient ? |
only fix get, not path routing |
22ffba6
to
d4b0490
Compare
okay remote control works now using get and path routing weird to note that /admin/remotecontrol -> /admin/remotecontrol but /rest/v1/session -> rest/v1/session if it was the same then you would just have needed to fix remotecontrol -> admin/remotecontrol and no need to worry about the leading slash |
It must be done on route, no dependant on path or get , then fix this part : LimeSurvey/application/core/LSHttpRequest.php Line 158 in 70b0989
It seems OK : https://www.yiiframework.com/doc/api/1.1/CUrlManager#parseUrl-detail
Fix BOTH routing |
Strange ? Seems parseUrl function is broken ? In my opinon: route for And route It's not the case ? (then maybe best is to extend it :
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is OK like this.
I would feel better if there would be a full RC test end to end that connects to the server, which is missing. There are functional tests that connect to webdirver, but not tests that connect to RC endpoint
The offedning PR was reverted. |
I will be working on this. Probbly on a new PR with a proper name |
@gabrieljenik gotcha. Feel free to close this. |
Fixes an error introduced in #3588. The changes made the remote control route,
admin/remotecontrol
, no longer skip CSRF validation.I can report the bug in https://bugs.limesurvey.org, but this error is present only in the
master
branch and I thought it quicker to send a PR.Fixed issue #19220