[pLog-svn] Fwd: CSRF issue
plogworld at jon.limedaley.com
Wed Jul 14 08:25:25 EDT 2010
On Tue, 13 Jul 2010, Reto Hugi wrote:
> It's a sad but old issue. That's why I once started the csrf branch.
> I've not done more than implementing the token logic and a proof of
> concept. It's still a lot of work until the protection would really work...
Yes, that's what I've been thinking. Changing it to require POST
helps a little - at least in terms of not a simple <img src> tag, though
grab the form to get the token, and then POST with a valid token?
I was looking at some sample code that uses a token per-login.
(which is easier to implement, and not quite as annoying as most CSRF
protection schemes - where you can't have multiple tabs open, which would
really annoy me.
People talk about the unique URL per login as something different
than a token, but really, it is just adding another parameter to the URL
line, and whether it is http://domain.com/admin.php?tok=123&op=blah or
http://domain.com/admin/123?op=blah it seems the same thing to me.
I wonder if we could use the smarty template output filter to add
in the token on all forms.
Does that solve the problem? If you close your tab, and then go
back to just admin.php without the token, you would have to login again,
work for a lot of people anyway, so I don't care about that too much.
> But on the other hand: Almost none of the blog tools out there really
> protect users from CSRF attacks. At least none I know of.
I was going to take a look at what WP does - presumably they've
worked on it.
In some ways we are more confused than ever, but we feel that we
are confused on a higher level and about more important things.
More information about the pLog-svn