CRITICAL SECURITY VERSION UPDATE:
https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.13

Can't submit forms with CSRF Protection Enabled

KavrocksKavrocks
edited January 2011 in Bug Reports
Hi

I'm in the process of setting up a new website with Fuel. I was going through the config options changing little things here and there and checking nothing major went wrong.
I'm using the 0.91 branch with the demo site installed.

When I changed $config['csrf_protection'] = FALSE; to $config['csrf_protection'] = TRUE; in the config.php page submitting the contact form and the login form for the admin area both produced errors saying "The action you have requested is not allowed."

Regards
Ian

Comments

  • adminadmin
    edited 12:16PM
    Thanks for the report. I'm looking into that.
  • adminadmin
    edited 12:16PM
    I've just posted a fix for this to the Form_builder class to work just like the form_helpers. It leverages the existing "key_check" parameter which was intended for something similar and adds an additional parameter for the hidden fields name ("key_check_name").
  • KavrocksKavrocks
    edited 12:16PM
    Thanks I'll grab that and have a look.
  • KavrocksKavrocks
    edited 12:16PM
    This is still not working.
  • adminadmin
    edited 12:16PM
    I'm looking into this issue. If you go to the form and refresh the page and then submit, it looks like the csrf cookie value will match (which is what I was seeing), but with an initial view of the page and a fresh cookie, it is causing a problem.
  • adminadmin
    edited 12:16PM
    I just posted a fix for that issue (hopefully). It appears that you have to set the cookie again before rendering just to be sure the cookie is there on the initial page load. I'm wondering if this is an issue with the CI's native form_helper as well since I originally looked at that for help and didn't see that line there to regenerate the cookie.
  • KavrocksKavrocks
    edited 12:16PM
    This still seems to cause a problem in the admin section of fuel if you try to delete a record from a module.
  • adminadmin
    edited 12:16PM
    I'll check that out... I ran into an issue the other day importing the views when that was turned on as well (and have since posted a fix for that). I have a feeling it may be in issue in other places that are using javascript to submit form parameters. The reason is because the csrf hidden field value needs to be sent along in the post.
  • adminadmin
    edited 12:16PM
    I just pushed a fix that should hopefully take care of at least that issue (and hopefully several others).
  • KavrocksKavrocks
    edited 12:16PM
    Just to let you know this still has not been fixed.
  • adminadmin
    edited 12:16PM
    Are you using the latest version found here?
    https://github.com/daylightstudio/FUEL-CMS

    If so, can you give me reproduction steps? I'm not able to replicate it locally.
  • KavrocksKavrocks
    edited 12:16PM
    Yes the latest version.

    Fresh install, CSRF set to TRUE in the config file then attempt to log in to admin section of the cms and an error appears (can't remember what exactly). Set it to FALSE and I can log in.

    I'm using wampserver.
  • adminadmin
    edited 12:16PM
    I'm able to replicate the problem but only on a WAMP server. It works OK on XAMPP, MAMP and my Mac OSX native apache server. Any chance you want to try on a XAMPP server to see if it works?
  • KavrocksKavrocks
    edited 12:16PM
    If its just WAMP that's fine, I'll change shortly.

    Thank you.
Sign In or Register to comment.