CSRF False positives
- Status
- Open
- Subject
- CSRF False positives
- Version
- 20.x
- Category
- Error
- Regression
- Usability
- Community projects
- Dogfood on a *.tiki.org site
- Feature
- User Administration (Registration, Login & Banning)
- Resolution status
- New
- Submitted by
- Xavier de Pedro
- Keep informed
- lindon
- Lastmod by
- Xavier de Pedro
- Rating
- Related-to
-
- Remove "Protect against CSRF with a protective step" from the login settings page
- CSRF Error when trying to log in from the top bar
- Voting in a poll gives CSRF warning.
- CSRF on using module error messages
- Profile preview fails with ugly CSRF error
- CSRF warning blocks saving menu options
- Confirm action on CSRF warning causes warning to redisplay
- CSRF Error Message displayed when adding new user to group
- elFinder: Can’t upload pictures on the tracker5 at dev.t.o (CSRF error)
- "The following mandatory fields are missing: Category" after anti-CSRF prompt
- "GZip output" (feature_obzip) causes encoding errors in CSRF and error screens
- Diagrams have poor usability still in 21.x LTS due CSRF and ticket expiration
- doc.t.o 19.x: I can't upload images to wiki pages (CSRF) with elFinder
- Potential cross-site request forgery (CSRF) detected. Operation blocked. Required headers are missing.
- Description
A CSRF never ending loop happened to me earlier today, on dev.t.o.
I had logged in chromium-browser to dev.t.o as user "xavi" (no admin perms).I needed to log in with my other user "xavidp" (the one with admin perms), so that I opened a private browsing window of chromium-browser. I went to visit the same page I had visited with the standard user where I had to fix some perms of that wiki page ( https://dev.tiki.org/Wish%20Report%20Tpl ). Clicked at "login" link at the top bar, which sent me to https://dev.tiki.org/login , provided the credentials, and then I got the message about CSRF at the url https://dev.tiki.org/tiki-login.php :
Error
Potential cross-site request forgery (CSRF) detected. Operation blocked. Reloading the page may help.
Every time I tried (F5, visiting somewhere else within dev.t.o) and attempting to log in, I got the same CSRF error message reproduced, and I couldn't log in as user "xavidp".I had to open a new browser (Firefox, in this case), and login as "xavidp" was successful.
I wonder what was happening.
I tried again, at the time of reporting this issue, and I got the issue reproduced again.
FYI: I had seen other weird CSRF false positives in other contexts in a 20.x tiki I use at work (behind a firewall). I 'll keep an eye open to add more details when I hit this bug again in other use cases. But there is something wrong still in the code in 20.x.
- Importance
- 9
- Easy to solve?
- 4
- Priority
- 36
- Demonstrate Bug on Tiki 19+
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Show.tiki.org is not configured properlyThe public/private keys configured to connect to show2.tiki.org were not accepted. Please make sure you are using RSA keys. Thanks.
- Demonstrate Bug (older Tiki versions)
-
This bug has been demonstrated on show.tikiwiki.org
Please demonstrate your bug on show.tikiwiki.org
Show.tiki.org is not configured properlyThe public/private keys configured to connect to show.tikiwiki.org were not accepted. Please make sure you are using RSA keys. Thanks.
- Ticket ID
- 7133
- Created
- Sunday 21 July, 2019 17:13:12 UTC
by Xavier de Pedro - LastModif
- Sunday 10 October, 2021 11:36:36 UTC