Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle the CSRF vulnerability #230

Merged
merged 6 commits into from
Sep 1, 2015
Merged

Handle the CSRF vulnerability #230

merged 6 commits into from
Sep 1, 2015

Conversation

ianchanning
Copy link
Contributor

The WordPress vulnerability seems valid. I have added in a nonce to prevent CSRF attacks. I've currently only tested on my local Windows machine in Firefox.

  1. I've tested using the attack suggested by WordPress of POSTing a form with buried Javascript - this would work on the v3.4.4 plugin as it would run the Javascript
  2. Now the plugin will give the standard 'Are you sure you want to do this?' if the form is POSTed without the nonce
  3. I've tested that changing the default language and re-submitting still works correctly
  4. I've tested that the Edit Language form still works (this doesn't have a nonce on it as POSTed values aren't inserted)
  5. I've tested that the Add Language form will generate errors correctly
  6. I've tested that a Language can be successfully added
  7. I made a tweak to the submit button classes for the Add / Edit language forms to put the current WordPress submit button styles on them
  8. I've updated the version numbers to 3.4.5 and created a tag

Ian Channing added 5 commits August 26, 2015 04:48
Bug fix, add in CSRF nonce checks
e3f6bcc 
1. In admin/qtx_admin_utils.php, new function qtranxf_verify_nonce to check if the form has been submitted from within the admin area
2. In admin/qtx_configuration.php, call the qtranxf_verify_nonce function and set the nonce hidden fields for the configuration form
Updating the version numbers
ac79a8d
Bug fix, add in the nonce for the add language form as it POSTs data …
4244f34 
…to the same page
UI improvement, set the primary button class on the Language form sub…
89706c4 
…mit buttons
Bug fix, switch deprecated instantiation of WP_Widget
91ac160
@ianchanning
Copy link
Contributor Author

I've now also included the bug fix to remove the deprecated warning in #226

@ianchanning
Copy link
Contributor Author

This is to fix #222

@mvandemar mvandemar mentioned this pull request Aug 28, 2015
Closed
johnclause added a commit that referenced this pull request Sep 1, 2015
@johnclause
Merge pull request #230 from ianchanning/master
758f825 
Handle the CSRF vulnerability
@johnclause johnclause merged commit 758f825 into qTranslate-Team:master Sep 1, 2015
@johnclause
Copy link
Member

Thank you, @ianchanning , I have already checked in the fix for security problem, it is being reviewed right now hopefully, but all your changes are very helpful as well.

This was referenced Sep 1, 2015
Closed
Closed
Closed
Closed
This was referenced Jun 22, 2018
Closed
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ianchanning @johnclause