CSRF prevention (!715) · Merge requests · foodsharing-dev / foodsharing · GitLab

chandi requested to merge audit/csrf-protection into master Feb 18, 2019

closes #475 (closed)

What does this MR do?

adds basic methods for storing & validating CSRF-Tokens
CSRF-Header mandatory for xhrapp.php except non-loggedin
CSRF-Header mandatory for xhr.php except non-loggedin
CSRF-Header mandatory for /api/ except non-loggedin

What is does not

enable CSRF for following (but will hopefully be added soon in a next MR)

xhr.php?f=bBubble
xhr.php?f=uploadPicture
xhr.php?f=pictureCrop
xhr.php?f=getRecip
xhr.php?f=addPhoto
xhr.php?f=uploadPhoto
xhrapp.php?app=login&m=photoupload
xhrapp.php?app=login&m=joinsubmit
xhrapp.php?app=login&m=join
xhrapp.php?app=mailbox&m=attach
xhrapp.php?app=mailbox&m=quickreply
xhrapp.php?app=mailbox&m=fmail
xhrapp.php?app=main&m=picupload
xhrapp.php?app=bezirk&m=quickreply
xhrapp.php?app=wallpost&m=quickreply
xhrapp.php?app=wallpost&m=attachimage

How confident are you it won't break things if deployed?

mostly

Links to related issues

Checklist

added a test, or explain why one is not needed/possible...
no unrelated changes
asked someone for a code review
joined #foodsharing-beta channel at https://slackin.yunity.org
added an entry to CHANGELOG.md (description, merge request link, username(s))

Edited Oct 12, 2020 by Chris Oelmueller