CSRF False positives
- Status
- Open
- Subject
- CSRF False positives
- Version
- 20.x
- Category
- Error
- Usability
- Community projects
- Dogfood on a *.tiki.org site
- Regression
- Feature
- User Administration (Registration, Login & Banning)
- Resolution status
- New
- Submitted by
- Xavier de Pedro
- Keep informed
- lindon
- Lastmod by
- Xavier de Pedro
- Rating
- Related-to
-
- Remove "Protect against CSRF with a protective step" from the login settings page
- CSRF Error when trying to log in from the top bar
- Voting in a poll gives CSRF warning.
- CSRF on using module error messages
- Profile preview fails with ugly CSRF error
- CSRF warning blocks saving menu options
- Confirm action on CSRF warning causes warning to redisplay
- CSRF Error Message displayed when adding new user to group
- elFinder: Can’t upload pictures on the tracker5 at dev.t.o (CSRF error)
- "The following mandatory fields are missing: Category" after anti-CSRF prompt
- "GZip output" (feature_obzip) causes encoding errors in CSRF and error screens
- Diagrams have poor usability still in 21.x LTS due CSRF and ticket expiration
- doc.t.o 19.x: I can't upload images to wiki pages (CSRF) with elFinder
- Potential cross-site request forgery (CSRF) detected. Operation blocked. Required headers are missing.
- Description
A CSRF never ending loop happened to me earlier today, on dev.t.o.
I had logged in chromium-browser to dev.t.o as user "xavi" (no admin perms).I needed to log in with my other user "xavidp" (the one with admin perms), so that I opened a private browsing window of chromium-browser. I went to visit the same page I had visited with the standard user where I had to fix some perms of that wiki page ( https://dev.tiki.org/Wish%20Report%20Tpl ). Clicked at "login" link at the top bar, which sent me to https://dev.tiki.org/login , provided the credentials, and then I got the message about CSRF at the url https://dev.tiki.org/tiki-login.php :
Error
Potential cross-site request forgery (CSRF) detected. Operation blocked. Reloading the page may help.
Every time I tried (F5, visiting somewhere else within dev.t.o) and attempting to log in, I got the same CSRF error message reproduced, and I couldn't log in as user "xavidp".I had to open a new browser (Firefox, in this case), and login as "xavidp" was successful.
I wonder what was happening.
I tried again, at the time of reporting this issue, and I got the issue reproduced again.
FYI: I had seen other weird CSRF false positives in other contexts in a 20.x tiki I use at work (behind a firewall). I 'll keep an eye open to add more details when I hit this bug again in other use cases. But there is something wrong still in the code in 20.x.
- Importance
- 9
- Easy to solve?
- 4
- Priority
- 36
- Demonstrate Bug (Tiki 19+)
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Accessing the Tiki instance that demonstrates this bugThe URL for the show2.tiki.org instance that demonstrates this bug is at: http://xavi-9794-7133.show2.tiki.org. Note that if you get a popup asking for a username/password, please just enter "show" and "show". This is different from the initial login and password for a new Tiki which is "admin" and "admin".
For the install log, see http://xavi-9794-7133.show2.tiki.org/info.txt
Note that if you see PHP errors or a Tiki claiming to be missing third party software, the instance creation is probably not finished. Please wait a couple minutes and reload.
SnapshotsSnapshots are database dumps of the configuration that developers can download for debugging. Once you have reproduced your bug on the show2.tiki.org instance, create a snapshot that can then be downloaded by developers for further investigation.
Snapshots can be accessed at: http://xavi-9794-7133.show2.tiki.org/snapshots/. Note that if you get a popup asking for a username/password, please just enter "show" and "show".
Create new snapshot - Ticket ID
- 7133
- Created
- Sunday 21 July, 2019 17:13:12 GMT-0000
by Xavier de Pedro - LastModif
- Sunday 10 October, 2021 11:36:36 GMT-0000
Attachments
| filename | created | hits | comment | version | filetype | ||
|---|---|---|---|---|---|---|---|
| No attachments for this item | |||||||
;){kind=link}
;){kind=link}
- htaccess.sh is gone from Tiki26 and after the installation you may need to create the symlink manually
- Create new Group function does not work Tiki V26.0 Clean install brand new database
- Manticore install and configuration
- Wiki plugin User list show all the user, the parameter Max of rows is not applied
- Automatic Indexing of Mathematical Calculation Tracker Fields
;){kind=link}
;){kind=link}