Hi Christian, Do you have some example code of you Form extension?
Thanks, Martijn On Mon, 2008-07-28 at 15:18 -0400, Christian Edward Gruber wrote: > A good way would be to alter the Form object to contain (via a hidden > variable) a field that's generated per the whitepaper linked from that > wikipedia article. The form would then consume the post, and if that > field is not in the expected state, generate an error state, which > could then be redirected to a security page or some such. We solved > it this way, though without changing the T5 form object - we used a > custom form object. > > A friend of mine wrote the linked whitepaper, so if someone's trying > to put the fix into the Tapestry framework infrastructure, then let me > know and I'll connect you by e-mail. It's a good read anyway, as it's > a bit of a subtle problem. > > Christian. > > On 28-Jul-08, at 14:50 , Martijn Brinkers (List) wrote: > > > Cross-site request forgeries (CSRF) is a web application vulnerability > > that is often neglected by web developers. If your application is > > vulnerable to CSRF and an attacker can entice you to request some URL > > (this can be done for example with an image with the src set to some > > Tapestry action) the attacker can execute random Tapestry actions and > > post forms (like adding a adminitrator etc.) without the users > > consent. > > For more info on CSRF see for example: > > http://en.wikipedia.org/wiki/Cross-site_request_forgery. > > One way to protect against CSRF is to add a non-guessable code > > (saved in > > the user session) to the URLs that need to be protected against CSRF > > or > > add a hidden field to a Form with this unique code. When Tapestry > > recieved a request (for a page or action) and that page/action need > > protection a check is done to see if the code from the URL matches the > > code stored in the user session. If not you know that the request did > > not generated by tapestry. > > > > My question is what is the best way to implement this? Should I add > > the > > code as a context parameter and for forms as a hidden field? And use a > > dispatcher to check whether the page should have been protected? > > > > Thanks, > > > > Martijn Brinkers > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
