Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handle the CSRF vulnerability #230

Merged
merged 6 commits into from Sep 1, 2015

Conversation

Projects
None yet
2 participants
@ianchanning
Copy link
Contributor

ianchanning commented Aug 26, 2015

The WordPress vulnerability seems valid. I have added in a nonce to prevent CSRF attacks. I've currently only tested on my local Windows machine in Firefox.

  1. I've tested using the attack suggested by WordPress of POSTing a form with buried Javascript - this would work on the v3.4.4 plugin as it would run the Javascript
  2. Now the plugin will give the standard 'Are you sure you want to do this?' if the form is POSTed without the nonce
  3. I've tested that changing the default language and re-submitting still works correctly
  4. I've tested that the Edit Language form still works (this doesn't have a nonce on it as POSTed values aren't inserted)
  5. I've tested that the Add Language form will generate errors correctly
  6. I've tested that a Language can be successfully added
  7. I made a tweak to the submit button classes for the Add / Edit language forms to put the current WordPress submit button styles on them
  8. I've updated the version numbers to 3.4.5 and created a tag

Ian Channing added some commits Aug 26, 2015

Ian Channing
Bug fix, add in CSRF nonce checks
1. In admin/qtx_admin_utils.php, new function qtranxf_verify_nonce to check if the form has been submitted from within the admin area
2. In admin/qtx_configuration.php, call the qtranxf_verify_nonce function and set the nonce hidden fields for the configuration form
@ianchanning

This comment has been minimized.

Copy link
Contributor Author

ianchanning commented Aug 26, 2015

I've now also included the bug fix to remove the deprecated warning in #226

@ianchanning

This comment has been minimized.

Copy link
Contributor Author

ianchanning commented Aug 26, 2015

This is to fix #222

johnclause added a commit that referenced this pull request Sep 1, 2015

Merge pull request #230 from ianchanning/master
Handle the CSRF vulnerability

@johnclause johnclause merged commit 758f825 into qTranslate-Team:master Sep 1, 2015

@johnclause

This comment has been minimized.

Copy link
Member

johnclause commented Sep 1, 2015

Thank you, @ianchanning , I have already checked in the fix for security problem, it is being reviewed right now hopefully, but all your changes are very helpful as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.