Need CSRF token and POST request for creating and deleting comments #3966
Labels
Comments
|
Hi, Thank you for this issue! It's a good idea. Do you think you could
delete your comments from the live site? I think if you wanted to test this
out, you can use https://stable.publiclab.org, which is not our production
site.
Adding a token shouldn't be too hard, and I agree it's a good idea!
I would check out the comment_controller.rb file, and this documentation
for how to ensure we require a CSRF token in those routes:
https://guides.rubyonrails.org/security.html#csrf-countermeasures
Thank you!
…On Wed, Nov 14, 2018 at 10:46 AM Sparks ***@***.***> wrote:
Please describe the problem (or idea)
What happened just before the problem occurred? Or what problem could this
idea solve?
Comments can be created or deleted without checking the CSRF token with
GET request
[image: deepin-screen-recorder_select area_20181114223701]
<https://user-images.githubusercontent.com/17945250/48493423-5c6cbc80-e85e-11e8-9246-965488dc8151.gif>
SImple payload:
<div><img src="https://publiclab.org/comment/answer_create/1254?body=csrf" id="img"></div>
<script>
var img = document.getElementById("img");
img.parentNode.removeChild(img);
</script>
Where 1254 - Answer id
Please show us where to look
https://publiclab.org/
What's your PublicLab.org username?
catimail123
Browser, version, and operating system
Any browser, any system
------------------------------
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#3966>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AABfJ2BKhAKBDKlNt-bTDaWq7jvo3v-Rks5uvDrLgaJpZM4YeA9_>
.
|
|
Thank you! Sorry I missed a few. Deleted. |
|
awesome. and great work here!
…On Wed, Nov 14, 2018 at 11:15 AM Sparks ***@***.***> wrote:
Thanks for the link! I deleted comments as soon as I stopped recording gif.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#3966 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AABfJ9r29fZtbrqgSZJh3FCSYtaZrXomks5uvEF-gaJpZM4YeA9_>
.
|
|
Also I guess csrf token is needув for likes and dislikes Anyone can do this? |
|
yes, we'd love help with this!
…On Thu, Nov 15, 2018 at 6:03 AM Sparks ***@***.***> wrote:
Also I guess csrf token is need for likes and dislikes
It also using get request now (like
https://publiclab.org/likes/node/123/create)
Anyone can do this?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#3966 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AABfJ_7SeFWnowUxXGOrav0ZyeHwTIw5ks5uvUnkgaJpZM4YeA9_>
.
|
|
Hi @thesparks would you like to solve this one? Thanks! |
|
I'm not very good at ruby, I think it's better to someone else to do it.
… 24 дек. 2018 г., в 0:50, Gaurav Sachdeva ***@***.***> написал(а):
Hi @thesparks would you like to solve this one?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Okay, thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please describe the problem (or idea)
SImple payload:
Please show us where to look
https://publiclab.org/
What's your PublicLab.org username?
catimail123
Browser, version, and operating system
Any browser, any system
The text was updated successfully, but these errors were encountered: