On Sat, 2014-07-12 at 09:11 +0200, xor wrote: > On Tuesday, July 08, 2014 09:13:14 AM you wrote: > > The name of the variable is badly chosen: formPassword is an anti-CSRF > > token (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_% > > 28CSRF%29 ); do *NOT* touch it. > > > > As for when to use one, two rules: > > 1) if you're changing server side state, you need a POST request > > 2) all POST requests need an anti-CSRF token (the exception being a > > login page, where credentials -that are unpredictable to an attacker- > > are exchanged) > > > > NextGen$ > > Thanks for the very short clarification! > I've used this as a foundation for a pull request which JavaDocs the > formPassword variable and relevant functions, please review it: > > https://github.com/freenet/fred-staging/pull/260 >
Looks good to me. > Also, I have a question about the standard form password validation function: > > https://github.com/xor-freenet/fred-staging/blob/f2ddcb9cd8c44346e74f6f14313e01f12871d2a2/src/freenet/support/plugins/helpers1/WebInterfaceToadlet.java#L71 > > It first tries to obtain it from a GET-variable, then from POST. > Isn't it unsafe to pass this around via GET? It is; and yes, we should only call req.getPartAsStringFailsafe()... but doing so will break existing "broken" calls. I suggest that we reverse the condition and log a message when we obtained the token from a GET parameter... leave support for a few releases and then drop support for it altogether. NextGen$
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
