Form key check required at GET request?

Discussion forum for Extension Writers regarding Extension Development.
Post Reply
User avatar
Ger
Registered User
Posts: 1155
Joined: Wed Jan 02, 2008 7:35 pm
Location: 192.168.1.100
Contact:

Form key check required at GET request?

Post by Ger » Fri Nov 03, 2017 10:55 am

I've asked this a couple of days ago in the validation discussion, but I didn't get any response. Not sure if those are read, so I'll post it here:
kasimi wrote: Line 111: deleting a feed is vulnerable to CSRF attacks. Please check the form key before you do anything here.
It's about the ACP module of my Feed Post Bot extension. As you can see there, I initially just added (and now commented) the form key check but that cannot work: deleting a feed is simply a GET request; the admin clicks a button and the feed is deleted.

There is no form, so how should this be handled?
Checkout my extensions: Simple CMS, Feed post bot, Modbreak, Magic OGP links and Live topic update

Like my work? Buy me a coffee to keep it coming. :ugeek:

User avatar
GanstaZ
Registered User
Posts: 8
Joined: Wed Oct 11, 2017 10:29 pm
Location: Zverse

Re: Form key check required at GET request?

Post by GanstaZ » Fri Nov 03, 2017 12:42 pm

As i understand it, csrf works on authed users. Isn't delete a form/choice? Take a look at some of those adm modules in includes folder. For actions like delete.. you can see the usage of check form key and confirm box functions.

User avatar
3Di
Registered User
Posts: 11872
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milano - Frankfurt
Name: Marco
Contact:

Re: Form key check required at GET request?

Post by 3Di » Fri Nov 03, 2017 2:17 pm

You don't need the use of check_form_key() if you make use of the confirm_box() function for sensitive operations - like delete, so to speak. May be a good idea (and an extra point of security) adding a new permission like acl_a_can_delete_that and check for it as well. That's my understanding which could be completely wrong or .. vice-et-versa. :)
Want to compensate me for my interest? Donate
Please PM me only to request paid works. Thx.
Extensions, Scripts, MOD porting, Update/Upgrades

User avatar
AbaddonOrmuz
Registered User
Posts: 219
Joined: Wed Dec 25, 2013 9:06 pm
Location: /dev/null
Name: Alfredo Ramos
Contact:

Re: Form key check required at GET request?

Post by AbaddonOrmuz » Fri Nov 03, 2017 3:25 pm

You can also generate a link hash with generate_link_hash() and check it with check_link_hash()

Code: Select all

$routing_helper->route('your_route', [
	'hash' => generate_link_hash('hash_name')
])

Code: Select all

if (!check_link_hash($request->variable('hash', ''), 'hash_name'))
{
	throw new http_exception(403, 'NO_AUTH_OPERATION');
}
A proudly user of Arch Linux :: /r/sddm_themes

User avatar
Ger
Registered User
Posts: 1155
Joined: Wed Jan 02, 2008 7:35 pm
Location: 192.168.1.100
Contact:

Re: Form key check required at GET request?

Post by Ger » Mon Nov 06, 2017 8:14 am

Thanks guys, confirm_box() did the trick.
Checkout my extensions: Simple CMS, Feed post bot, Modbreak, Magic OGP links and Live topic update

Like my work? Buy me a coffee to keep it coming. :ugeek:

Post Reply

Return to “Extension Writers Discussion”

Who is online

Users browsing this forum: No registered users and 10 guests

cron