[pLog-svn] Anti CSRF solution

[Mark Wu]

Hi Reto:

> If we go for your second optino, we don't need option 1 
> (IMO). Referer checks are not worth the work.

For admin-end, I think the cost of referal check is really really cheap and
easy to do. Anyway, we can leave this feature for blog owners, they can add
it by them self ...
 
> > 2. For http-post based operation, like add and update, it 
> is easier to 
> > porvide the protection by add one-time token. Need to add 
> one hidden 
> > input to each form that we want to protect.
> 
> I have already a working PoC - although with none random 
> nonces - implemented in 1.3, so this is really the way to go, 
> it's not as hard as I thought, thanks to the adminaction 
> class, which is inherited from in all admin actions.

I think modification adminaction is easy, but you have to add  hidden input
to all forms we want to protect, then that's not a fun job .. :P

> 
> > 3. For http-get based operation, then that's a big problem. 
> We need to 
> > rewrite them to post-based with one-time token protection, maybe we 
> > need a AdminUrlGenerator to take care of this easily.
>
> Are you refering to XHR implementations in lt trunk? My PoC 
> doesn't work for them yet. I haven't looked at them, yet. 
> Wouldn't it be possible to add the nonce as an additional 
> parameter to the request?

Take the deleteComment for example, in lifetype we use "deleteComments" to
delete multiplut comments at the same time, it is a http post request, and
we also use "deleteComment" to delete  one comment in each time, and it is
http "get" request.

So, unless we change the "deleteComment" url, and append a "token" after the
url, or .... we can not use the one-time token to protect it. 

Or we change the "deleteComment" to post request, too.That's another way.

Mark


> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn