-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
It is possible to circumvent CSRF protection on TranskripRequest/add #30
Comments
Hi, just got this news from @levint55, I have suggestion to uniform all the URL to mimics RESTful API, so instead doing (maybe we can make it cuter with What do you think? On the implementations we just need to move the HTTP Method checking to the |
Thanks @darknight060198 for the fix! @chez14 Thank you for the suggestion. I will attend to your comment soon. |
Hi @chez14, Thank you for your suggestion. I may be old school, but as of now I don't have any plans to convert this portal to a newer web standards, with the following considerations:
There is an alternative though, if admin team wants to takeover this whole project, I will be willing to handover it to them. I cannot transfer it to you personally, because although you have the technical capabilities, but this project must be continued even after you graduated. I am closing this issue. Please reopen if you want to appeal. Thank you. |
Ahh i see, i don't think admin will have time for managing OSS project right now, since we have things to do with our backend too, so i'll leave it like this then hehe. |
Simply by issuing
GET
method to https://bluetape.azurewebsites.net/TranskripRequest/add.This is because only
POST
methods are CSRF protected.The possible fix is to filter the controller function, to only process
POST
request, not others.Special shoutout to @rrrr98 for finding this issue 🙏
The text was updated successfully, but these errors were encountered: