Remove 'confirm_action' from list of actions requiring the CSRF token (!529) · Merge requests · David Verdin / sympa

David Verdin requested to merge github/fork/mpkut/fix_csrf_confirm_action into sympa-6.2 Jan 15, 2019

Created by: mpkut

The current CSRF code is configured to require the token for the confirm_action action. However #527 (closed) shows that there are legitimate Sympa functions such as unauthenticated archive views that invoke confirm_action as part of a GET request (i.e. the "I am not a spammer" click-through challenge for archives).

This simple patch removes confirm_action from the %require_csrftoken list. That allows confirm_action to be invoked during GET requests, allowing unauthenticated archive views and other GET based confirmed actions to work as expected.

Thankfully, the input validation in Sympa::WWW::Session::confirm_action() acts against CSRF on its own, so we are still covered there. The confirm submission must be the very next click in the user's Sympa session, otherwise the pending action is cancelled. Furthermore the action arguments must match a recorded hash before the action can proceed.

Admin message

Remove 'confirm_action' from list of actions requiring the CSRF token

Merge request reports