Missing CSRF protection #111
Comments
ghost
added
1.0.2 Bugfix release ### Backend - Emit a more specific error message for cases like #160. - The timeout for calls to `intelmqctl` has been raised to 20s (#164). ### Pages #### Configuration - Underscore is now allowed for new parameter names (#153). #### Monitor * Fix link to monitor page (#157). ### Documentation - Add a FAQ and add a section about the docker issue (#160). - Add instructions for Debian 9, Ubuntu 18.04, and openSUSE Leap 42.3, 15.0 (#168). ### Packaging - Include a positions file matching the default configuration of intelmq (#171). ### Known issues * Missing CSRF protection (#111). * Missing copyright notices (#140). * Graph jumps around on "Add edge" bug component (#148). * new runtime parameters with _ not possible (#153). * wrong error message for new bots with existing ID (#152). * Queue size for deleted queue remains displayed (#158).
|
Looking at the issue to see if customers are interested. Seems https://api.jquery.com/jQuery.getJSON/ calls are used in the php files, So .getJSON to .ajax() and considering if using a different jquery or other library (as bundled jquery 1.11 is getting old). |
|
Things which need to be done (aka rough plan):
|
|
Sunet contracted us (from Intevation) do resolve this issue, timeframe is within two month. |
|
We need longer to fix this. (Corona has slowed us down, among other things.) |
|
#142 seems to be under control, our new branch https://github.com/Intevation/intelmq-manager/tree/dev-python-backend-webpart has updated jquery and bootstrap libraries. web client partNow it would be useful to have a modal bootstrap3 login form from the webapp which works by using a POST endpoint and gets a token that will be used in subsequent requests to the server as part of the header. To have a backend to develop against, it would be cool to have a hug example, see hugapi/hug#863 We also have to make sure that the token is saved on the client, even if the page is switched, maybe the localsession storage can be used for this. |
2.2.0 Feature release This IntelMQ Manager version requires IntelMQ >= 2.2.0. ### Backend - `config`: Get file paths from `intelmctl debug --get-paths` if possible and fall back to hard-coded paths otherwise. Thereby environment variables influencing the paths are respected (certtools#193). ### Pages #### About - Show output of `intelmqctl debug`. ### Documentation - Update release from intelmq's release documentation. - Update Installation documentation: Fix & update dependencies and supported operating systems. ### Packaging - Update default `positions.conf` to the default runtime/pipeline configuration of intelmq >= 2.1.1. ### Known issues * Missing CSRF protection (certtools#111). * Graph jumps around on "Add edge" (certtools#148). * wrong error message for new bots with existing ID (certtools#152). * `ALLOWED_PATH=` violates CSP (certtools#183). * Monitor page: Automatic log refresh reset log page to first one (certtools#190).
|
Some progress on our side in small steps:
|
technical how to connect fast to a persistent session and user dbIdea: Using sqlite with a small db file should leave this file in the memory via the file system caches. One problem: the sqlite3 module is not threadsafe and apache and other web server may use threads to requests fast. Solution-idea: Trying a different python module apsw which is thread-safe (https://rogerbinns.github.io/apsw/pysqlite.html#pysqlitediffs) Turns out apsw has problems with mod_wsgi (at least in our tests it did not work well, we expect the use of python subinterpreters and forking by mod_wsgi as possible root for conflicts between the two pieces of software.) So we went back to pysqlite. |
|
#202 implements a working version of CSRF protection (with some rough edges, but it is a significant improvement over having no protection). |
|
I think we can close here, as the authentication part is done. Thanks @Intevation for the implementation and @SUNET for the funding! |
php/save.phpandphp/controller.phpcan be called without authentication cookie or CSRF token.The text was updated successfully, but these errors were encountered: