extending CSRF support

[fpoulain]

Hi,

It would be great if sympa extends CSRF support. Currently, we have some lists opened to subscription with auth (email loop). Those subscribe forms are spamed by bots (thousand per day). We don't have any real solution avoiding this at hosting level.

Several techniques could limit spam, starting with a CSRF token.

I saw that since 2c0e810 and b30815c there is csrf protection. Could it be possible please to (maybe optionally) extends this protection for all public forms?

[ikedas]

Hi @fpoulain, could you please tell us what version of Sympa you are using?

[fpoulain]

Hi @ikedas, currently we are using Debian Stretch's version (6.2.16). Migrating to Buster is planed.

[ikedas]

Hi @fpoulain,

Feature of CSRF tolerance is available on Sympa 6.2.40 or later. On Debian, Sympa with this feature is provided by buster or bullseye. Unfortunately buster stretch does not provide it.

[fpoulain]

Feature of CSRF tolerance is available on Sympa 6.2.40 or later.

Nice. Is it generalized to all forms posts ?

[ikedas]

I think it is generalized to all forms which are provided by WWSympa.

[ikedas]

Close by now.