[4.x] - com_finder doesn't stop indexing on CSRF token mismatch #29979
Conversation
|
FYI @joomla/security |
|
Any idea why this is not at the beginning of the functions? |
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
IIRC github limts mention of teams to member of the org. I can confirm that this is still a valid team. |
maybe for errors logging, that is at the beginning of the function :) |
|
I removed said line and clicked the Index button in the Smart Search: Indexed Content page. The Modal dialog appeared and hung - am I supposed to look somewhere else for the error? This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29979. |
|
I should have said - both with and without the patch. This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29979. |
Literally any response with a form returns that token to the active user, that's how CSRF tokens are designed. I agree that it can be removed (and did so by updating this PR) however I can't see any risk associated with this behavior.
Done
Is it just a blank page? Or do you have any error message or output in there? |
This comment was marked as abuse.
This comment was marked as abuse.
|
The modal hangs. An error message is not displayed. In the console:
|
Quy
added
the
Updates Requested
|
With new update to Beta4-Dev, after removing the line and applying the patch the modal hangs - so I think this is a fail! This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29979. |
|
I suspect (don't have a way to test right now) that if there's an error thrown in a plugin that this will now longer be indexable second time around by dropping the token. Fedik's sample code shows the token in the response is being used. I don't see why we should remove it here. It's no different to submitting a frontend login form that has an invalid token |
|
I have tested this item 🔴 unsuccessfully on da7a77d This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29979. |
|
Failed with the error message not being displayed. The Indexer just hangs when you click on it when the token has been manually changed.
Additionally, developer tools shows the following: |
joomla-cms-bot
added
the
NPM Resource Changed
|
@particthistle you able to test this one again? Think I've fixed that bug (now requires NPM to be run I'm afraid) |
|
My screen |
|
I have tested this item ✅ successfully on 797aa4d
Changing token after applying PR results in error message. This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29979. |
|
I have tested this item ✅ successfully on 797aa4d This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29979. |
|
Thanks! |
Summary of Changes
Added the required "return" statements after sending the error message to prevent the process from continuing.
Testing Instructions
<input id="finder-indexer-token" type="hidden" name="<?php echo Factory::getSession()->getFormToken(); ?>" value="1">to<input id="finder-indexer-token" type="hidden" name="123" value="1">in administrator/components/com_finder/tmpl/indexer/default.php and hit the "reindex" button again - an error message is shown.
Actual result BEFORE applying this Pull Request
The error message is test case two isn't shown because the returned response is invalid
Expected result AFTER applying this Pull Request
Error is shown