Page MenuHomePhabricator
Create Task
Maniphest T61612

CSRF protection for scholarship app
Closed, ResolvedPublic
Actions

Description

Sorry for the late notice of this, but when I reviewed the Scholarship app originally, I missed reporting my note that it didn't have any csrf protection on its forms.

Needs to be added to public application, login form, and the admin forms that update the application's data.

Probably doesn't prevent turning on the site next week, but should get fixed soon.

Version: unspecified
Severity: normal

Details

Reference
bz59612

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 2:42 AM
bzimport added a project: Wikimedia-Wikimania-Scholarships.
bzimport set Reference to bz59612.
bzimport added a subscriber: Unknown Object (MLST).
csteipp created this task.Jan 3 2014, 9:28 PM
bd808 added a comment.Jan 3 2014, 11:43 PM

Created attachment 14224
CSRF middleware patch

I whipped up a quick and dirty CSRF middleware. It could be fancier (no token rotation or expiration) but it is a lot better than nothing. I'm a little embarrassed that I didn't think of the need for this before. And I'm more than a little disappointed that the Slim framework doesn't come with a solution for this out of the box.

Attached:

csrf.patch7 KBDownload

bd808 moved this task from Backlog to Archive on the Wikimedia-Wikimania-Scholarships board.Dec 7 2014, 12:08 AM
csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL