[pLog-svn] r7015 - plog/branches/lifetype-1.2/js/ui
Reto Hugi
reto at lifetype.ch
Fri Aug 6 16:43:46 EDT 2010
Hi Mark
Thanks for your nice idea and sorry for my (again) superficial response
due to heavy time constraints ;) - I sometimes wish days would have 36
hours...
Anyway - the Blacklisting part ist IMO the most important one to
effectively secure the whole thing.
Oh, and first I thought the JavaScript Implementation wouldn't be a good
idea, but thinking of listening on click events, checking if it's a
relevant link and adding the nonce just before the request would even
omit the whole HTML parsing, right?
bye,
reto
On 08/02/2010 01:27 PM, Mark Wu wrote:
> Hi Jon & Reto:
>
> Great job, It looks nice.
>
> For all actions exist in system include plugin actions, I think a new
> method "getActionMap" could be add to Controller class, it could help
> CSRF plugin to get all actions through AdminController::getActionMap()
> easier:
>
> Class Controller {
> ...
> function getActionMap()
> {
> global $_plogController_actionMap;
> return( array_keys(||$_plogController_actionMap) );
> }
> ...
> }
>
> Since Lifetype's action map is a global array, of course this method
> could be add to CsrfUrls DAO only.
>
> Another problem is how to identify the admin action should be protected
> or not, .... Jon's current method is white list, it records all the
> actions need to protect by CSRF. Maybe, you can change it to black list,
> just record those ops that CSRF plugin don't want to protect by default.
>
> So, the CsrfUrls dao could change to:
>
> Class CsrfUrls {
> ...
> $unprotected = array( 'adc', 'def' );
> function getProtectedOps($op="") {
> $protected = array_diff( AdminController::getActionMap(),
> $unprotected );
> .....
> }
> ...
> }
>
> For further advanced CSRF protection control, maye a global variable
> $_plog_unprotected_actions can be added to CsrfUrls, so it can easier
> for CSRF plugin to provide a new method like
> CsrfUrls::registerUnprotectedAction( 'ghi' ) for plugin developers.
>
> Then, plugin developers can decide the action should be protected or not.
>
> It just my two cents.
>
> Mark
>
> 2010/8/2 Jon Daley <plogworld at jon.limedaley.com
> <mailto:plogworld at jon.limedaley.com>>
>
> On Mon, 2 Aug 2010, Reto Hugi wrote:
>
> I was thinking about those Blog communities that Mark was working on
> some time ago, with lot's of content "creators". But fair
> enough, it's
> only the admin side.
>
> Yes, I occasionally hear about large communities, but I just
> haven't worked on any of their code.
>
> Please have a look at the /class/data/nonce.class.php
> (not the
> randomizer - yours is better)
>
> Well, acutally I thought that the nonce creation class would
> have been
>
> nicer, than just creating the token inside the plugin code -
> that was my
> point :)
>
> True, that is good.
>
>
> The "insecure" part on the implementation is the $protected
> array, which may miss newly added actions and the fact that the
> token is fixed for a session.
>
> Yeah, I'm not sure how to fix the newly-added actions part.
> If you have any ideas about that, that'd be good. I don't want to
> fix the second.
> I was thinking about it tonight, and wondering what it would
> be like to add the nonce on the javascript/client side, so then the
> template parsing would not be server-side, and so the load would be
> lower, and it would also fix the plugin issue, at least partly - in
> that the links could have the nonce added. The values would still
> need to be validated on the other side.
>
>
> my aproach involved much more work but it treats csrf protection
> just as we treat any other validation, so it's more kind of a
> "native" aproach.
>
> True, and if we could get it in the adminaction base class,
> then it'd be great.
>
>
> True. Although the problem is, that I'm not running the latest
> svn code
> - heck, I'm still on 1.2.8!
>
> Hmmm... Though I'd still venture to guess that you could
> just replace the adminloginaction and add the plugin and be good to
> go. If you don't care about dynamically adding categories on the
> newpost page, you can ignore those changes.
>
>
> --
> Jon Daley
> http://jon.limedaley.com
> ~~
> No matter where you go,
> there you are.
> -- Buckaroo Bonzai
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net <mailto:pLog-svn at devel.lifetype.net>
> http://limedaley.com/mailman/listinfo/plog-svn
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list