Confirm action on CSRF warning causes warning to redisplay
- Status
- Closed
- Subject
- Confirm action on CSRF warning causes warning to redisplay
- Version
- 16.x Regression
- Category
- Regression
- Community projects
- Dogfood on a *.tiki.org site
- Feature
- Admin Interface (UI)
- Resolution status
- Fixed or Solved
- Submitted by
- Gary Cunningham-Lee
- Volunteered to solve
- lindon
- Lastmod by
- Xavier de Pedro
- Rating
- Related-to
- Description
I have "Require confirmation of an action if a possible CSRF is detected" set on tiki-admin.php?page=security. When I get the warning "Possible cross-site request forgery (CSRF, or "sea surfing") detected. Operation blocked.", and I click the "Click here to confirm your action" button, the same warning page redisplays instead of refreshing to the page where the admin action was made. This repeats as long as I keep clicking.
But the admin change does get made. If I input the admin page URL or go back in browser history to the admin page, I can see the change did take effect.
This is on my local wamp installation, so I'll need to make a show instance unless other people can reproduce this bug.
- Solution
This error is from the old ask_ticket() / check_ticket() system. By Tiki17 this had been removed. Accordingly I cannot recreate in Tiki 18 or 19. Since there will be no further releases of Tiki16, there is no fix to be committed.
Also, in case this problem really relates to Tiki19, r68724 restored the default of not checking the old ticket system to avoid false anti-CSRF errors.
- Workaround
- Take out the ask_ticket() and check_ticket() calls from admin/include_security.php, although this may make the page slightly less secure.
- Importance
- 8
- Priority
- 40
- Demonstrate Bug on Tiki 19+
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Show.tiki.org is not configured properlyThe public/private keys configured to connect to show2.tiki.org were not accepted. Please make sure you are using RSA keys. Thanks.
- Demonstrate Bug (older Tiki versions)
-
This bug has been demonstrated on show.tikiwiki.org
Please demonstrate your bug on show.tikiwiki.org
Show.tiki.org is not configured properlyThe public/private keys configured to connect to show.tikiwiki.org were not accepted. Please make sure you are using RSA keys. Thanks.
- Ticket ID
- 6169
- Created
- Tuesday 08 November, 2016 04:24:55 UTC
by Gary Cunningham-Lee - LastModif
- Sunday 21 July, 2019 17:13:38 UTC