Confirm action on CSRF warning causes warning to redisplay
- Status
- Closed
- Subject
- Confirm action on CSRF warning causes warning to redisplay
- Version
- 16.x Regression
- Category
- Community projects
- Dogfood on a *.tiki.org site
- Regression
- Feature
- Admin Interface (UI)
- Resolution status
- Fixed or Solved
- Submitted by
- Gary Cunningham-Lee
- Volunteered to solve
- lindon
- Lastmod by
- Xavier de Pedro
- Rating
- Related-to
- Description
I have "Require confirmation of an action if a possible CSRF is detected" set on tiki-admin.php?page=security. When I get the warning "Possible cross-site request forgery (CSRF, or "sea surfing") detected. Operation blocked.", and I click the "Click here to confirm your action" button, the same warning page redisplays instead of refreshing to the page where the admin action was made. This repeats as long as I keep clicking.
But the admin change does get made. If I input the admin page URL or go back in browser history to the admin page, I can see the change did take effect.
This is on my local wamp installation, so I'll need to make a show instance unless other people can reproduce this bug.
- Solution
This error is from the old ask_ticket() / check_ticket() system. By Tiki17 this had been removed. Accordingly I cannot recreate in Tiki 18 or 19. Since there will be no further releases of Tiki16, there is no fix to be committed.
Also, in case this problem really relates to Tiki19, r68724 restored the default of not checking the old ticket system to avoid false anti-CSRF errors.
- Workaround
- Take out the ask_ticket() and check_ticket() calls from admin/include_security.php, although this may make the page slightly less secure.
- Importance
- 8
- Priority
- 40
- Demonstrate Bug (Tiki 19+)
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Accessing the Tiki instance that demonstrates this bugThe URL for the show2.tiki.org instance that demonstrates this bug is at: http://chibaguy-342-6169.show2.tiki.org. Note that if you get a popup asking for a username/password, please just enter "show" and "show". This is different from the initial login and password for a new Tiki which is "admin" and "admin".
For the install log, see http://chibaguy-342-6169.show2.tiki.org/info.txt
Note that if you see PHP errors or a Tiki claiming to be missing third party software, the instance creation is probably not finished. Please wait a couple minutes and reload.
SnapshotsSnapshots are database dumps of the configuration that developers can download for debugging. Once you have reproduced your bug on the show2.tiki.org instance, create a snapshot that can then be downloaded by developers for further investigation.
Snapshots can be accessed at: http://chibaguy-342-6169.show2.tiki.org/snapshots/. Note that if you get a popup asking for a username/password, please just enter "show" and "show".
Create new snapshot - Ticket ID
- 6169
- Created
- Tuesday 08 November, 2016 04:24:55 GMT-0000
by Gary Cunningham-Lee - LastModif
- Sunday 21 July, 2019 17:13:38 GMT-0000
Attachments
| filename | created | hits | comment | version | filetype | ||
|---|---|---|---|---|---|---|---|
| No attachments for this item | |||||||
;){kind=link}
;){kind=link}
- Feature request: Be able to exclude (by category) the pages listed in Latest Changes module
- Add a command to console.php to invalidate certain objects in the search index
- Counting items in Items List Doesn't Work due to lack of , between items
- Modals in Quartz theme are too narrow
- Tracker Currency Field not working
;){kind=link}
;){kind=link}