Loading...
 
Skip to main content

Confirm action on CSRF warning causes warning to redisplay

Status
Closed
Subject
Confirm action on CSRF warning causes warning to redisplay
Version
16.x Regression
Category
  • Regression
  • Community projects
  • Dogfood on a *.tiki.org site
Feature
Admin Interface (UI)
Resolution status
Fixed or Solved
Submitted by
Gary Cunningham-Lee
Volunteered to solve
lindon
Lastmod by
Xavier de Pedro
Rating
(1)
Related-to
Description

I have "Require confirmation of an action if a possible CSRF is detected" set on tiki-admin.php?page=security. When I get the warning "Possible cross-site request forgery (CSRF, or "sea surfing") detected. Operation blocked.", and I click the "Click here to confirm your action" button, the same warning page redisplays instead of refreshing to the page where the admin action was made. This repeats as long as I keep clicking.

But the admin change does get made. If I input the admin page URL or go back in browser history to the admin page, I can see the change did take effect.

This is on my local wamp installation, so I'll need to make a show instance unless other people can reproduce this bug.

Solution

This error is from the old ask_ticket() / check_ticket() system. By Tiki17 this had been removed. Accordingly I cannot recreate in Tiki 18 or 19. Since there will be no further releases of Tiki16, there is no fix to be committed.

Also, in case this problem really relates to Tiki19, r68724 restored the default of not checking the old ticket system to avoid false anti-CSRF errors.

Workaround
Take out the ask_ticket() and check_ticket() calls from admin/include_security.php, although this may make the page slightly less secure.
Importance
8
Priority
40
Demonstrate Bug on Tiki 19+
Demonstrate Bug (older Tiki versions)
Ticket ID
6169
Created
Tuesday 08 November, 2016 04:24:55 UTC
by Gary Cunningham-Lee
LastModif
Sunday 21 July, 2019 17:13:38 UTC


Show PHP error messages