Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not clear CSRF token on logout (fix for #1303) #3832

Merged
merged 1 commit into from
Mar 30, 2017
Merged

Do not clear CSRF token on logout (fix for #1303) #3832

merged 1 commit into from
Mar 30, 2017

Conversation

rullzer
Copy link
Member

@rullzer rullzer commented Mar 13, 2017
edited by GitHubUser4234
Loading

This is a hacky way to allow the use case of #1303.

What happens is

  1. User tries to login
  2. PreLoginHook kicks in and figures out that the user need to change
    their LDAP password or whatever => redirects user
  3. While loading the redirect some logic of ours kicks in and logouts
    the user (thus clearing the session).
  4. We render the new page but now the session and the page disagree
    about the CSRF token

This is kind of hacky but I don't think it introduces new attack
vectors.

TODO:

  • Intergration tests

@GitHubUser4234 can you verify this fixes the issue?
@LukasReschke I hope it does not make your eyes bleed to much.... 馃檲

@rullzer
Do not clear CSRF token on logout (fix for #1303)
bb94b39 
This is a hacky way to allow the use case of #1303.

What happens is

1. User tries to login
2. PreLoginHook kicks in and figures out that the user need to change
their LDAP password or whatever => redirects user
3. While loading the redirect some logic of ours kicks in and logouts
the user (thus clearing the session).
4. We render the new page but now the session and the page disagree
about the CSRF token

This is kind of hacky but I don't think it introduces new attack
vectors.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
@rullzer rullzer added this to the Nextcloud 12.0 milestone Mar 13, 2017
@mention-bot
Copy link

@rullzer, thanks for your PR! By analyzing the history of the files in this pull request, we identified @LukasReschke, @nickvergessen and @ChristophWurst to be potential reviewers.

GitHubUser4234
GitHubUser4234 reviewed Mar 14, 2017
View reviewed changes
Copy link
Contributor

@GitHubUser4234 GitHubUser4234 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to fix it, thanks for hacking :))

@rullzer
Copy link
Member Author

rullzer commented Mar 14, 2017

@LukasReschke I've looked into it but can't really think of sane integration tests... suggestions?

@GitHubUser4234
Copy link
Contributor

@LukasReschke Your green light is really appreciated, as when this is solved it allows the review of #1023 to start, thanks a lot :)

@rullzer rullzer added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Mar 30, 2017
@rullzer rullzer merged commit 548871a into master Mar 30, 2017
@rullzer rullzer deleted the fix_1303 branch March 30, 2017 16:25
@rullzer rullzer mentioned this pull request Mar 30, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GitHubUser4234 GitHubUser4234 GitHubUser4234 left review comments

@LukasReschke LukasReschke LukasReschke approved these changes

Assignees
No one assigned
Labels
3. to review Waiting for reviews bug enhancement security
Projects
None yet
Milestone
Nextcloud 12.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@rullzer @mention-bot @GitHubUser4234 @LukasReschke @nickvergessen