#5475 Move CSRF token insertion from JS to easywidgets

v1.1.0
closed
nobody
General
2015-08-20
2012-12-17
Rich Bowen
No

Standard forms across on Allura have a _session_id field inserted by JS. AJAX forms insert it themselves. This is for CSRF protection.

For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side. The ForgeForm class seems like a useful place to do this. Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template. A one-line macro seems like a good way to handle that.

AJAX forms can stay as-is, they use JS already anyway.

Related

Tickets: #5475

Discussion

1 2 > >> (Page 1 of 2)
  • Dave Brondsema

    Dave Brondsema - 2012-12-17

    The new forge tools require javascript to POST any form (due to the current way we implement CRSF protection).

    Login, logout, and viewing pages (including download) work without javscript.

     
  • Dave Brondsema

    Dave Brondsema - 2012-12-17
    • milestone: limbo --> forge-backlog
     
  • Rich Bowen - 2012-12-21

    So, is our official position on this "wontfix", or is this a wait and see?

     
  • Chris Tsai - 2012-12-26
    • labels: --> support, p3
     
  • Dave Brondsema

    Dave Brondsema - 2013-01-02

    Wait and see. I would like it to be changed and not require JS for all the development tool pages.

     
  • Kyle Adams

    Kyle Adams - 2013-01-02

    FWIW, I'm fairly certain the new 5 star review stuff is going to be wonky without JS. It hasn't been tested for non-JS support. Ditto for the new enterprise pages/designs. We probably need to huddle with Product, Engineering, and Community and make a decision about how whether JS needs to be a requirement.

     
  • Anonymous - 2013-03-17

    Originally by: fabiankeil

    While I can log in without JavaScript, the "log out" link is hidden. I can "view source" and c&p the "log out" URL into the address bar, but I wouldn't call this "working".

    I hope that the POST issues will be fixed before the "new design" is forced on projects that don't enable it voluntary due to all the accessibility issues.

    If security-conscious users are no longer supposed to be able to use SF, it would be great if this could be at least clearly documented.

     
  • Anonymous - 2013-04-21

    Originally by: curaga

    Please implement this. It's becoming important due to the force-upgrade of all SF projects to Allura.

    Creating new tickets does not work without JS, or even on older browsers with JS. In both cases it redirects to the login page, which states that you're already logged in.

     
  • Anonymous - 2013-04-22

    Originally by: *anonymous

    No idea why my previous message is declared "Anonymous" and "awaiting moderation".

    I was logged in when I wrote it and it worked as expected on 2013-03-17.

     
  • Dave Brondsema

    Dave Brondsema - 2013-04-22

    We will consider working this into our development schedule, but as said, please contact SourceForge support to request an upgrade delay if this is very important to your project.

     
  • Anonymous - 2013-04-24

    Originally by: kolpotoru

    I have complain about sourceforge.net that with each new upgrade sourceforge.net is becoming worse i remember the good old days when pages look simple and there were direct download links to files which was much easier but now the pages are much bulkier takes lot time to load this is a big problem where internet speed is slow & new download system much complicated and difficult to download with download manager & many times refuses to download.

    Now i am facing a this new problem that after logging in to sourceforge.net (in Firefox 3.6 which was released last year) whenever i try to post in some projects forum instead of posting my message sourceforge.net again asks me to login. I am unable to understand when i am already logged in how can i again login.

     

    Last edit: Anonymous 2015-11-17
  • Dave Brondsema

    Dave Brondsema - 2013-10-31
    • summary: Provide non-javascript fallback behavior --> Move CSRF token insertion from JS to easywidgets
    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -1,3 +1,5 @@
    -Site functions should continue to work with Javascript disabled.
    +Standard forms across on Allura have a `_session_id` field inserted by JS.  AJAX forms insert it themselves.  This is for CSRF protection.
    
    -Ref: [forge:site-support:#2017]
    +For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side.  The `ForgeForm` class seems like a useful place to do this.  Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template.  A one-line macro seems like a good way to handle that.
    +
    +AJAX forms can stay as-is, they use JS already anyway.
    
     
  • Dave Brondsema

    Dave Brondsema - 2013-10-31

    Majority of JS issues are with CSRF token being inserted with JS, so lets focus on that and do separate tickets for separate concerns.

     
  • Dave Brondsema

    Dave Brondsema - 2013-10-31
    • Labels: support, p3 --> p3, support, 42cc
     
  • Igor Bondarenko

    Igor Bondarenko - 2013-11-01
    • status: open --> in-progress
     
  • Igor Bondarenko

    Igor Bondarenko - 2013-11-01

    Created:

    • #472: [#5475] Move CSRF token insertion from JS to easywidgets (2cp)
    • #473: [#5475] Add csrf macro to all hand-coded forms (dep:472) (2cp)
     

    Related

    Tickets: #5475

  • Igor Bondarenko

    Igor Bondarenko - 2013-11-11
    • status: in-progress --> code-review
     
  • Igor Bondarenko

    Igor Bondarenko - 2013-11-11

    Closed #472, #473

    je/42cc_5475

     
  • Dave Brondsema

    Dave Brondsema - 2013-11-11
    • QA: Dave Brondsema
     
  • Dave Brondsema

    Dave Brondsema - 2013-11-12
    • status: code-review --> in-progress
     
  • Dave Brondsema

    Dave Brondsema - 2013-11-12

    Can you remove it from GET forms (one example is ticket search box). It's not needed there (CSRF is just for POSTs which change state) and it clutters the URL in the resulting address bar pretty bad.

     
  • Dave Brondsema

    Dave Brondsema - 2013-11-12

    Please also check all usage of SimpleForm and see if you can find any where _session_id doesn't come through. I think those may be missing that hidden field, but in some quick testing I couldn't find one.

    I did find one in our internal forge-classic repo, which demonstrates what can happen. I tried the following, which I think should work, but for some reason the value doesn't get rendered in the HTML.

    --- sfx/widgets.py
    +++ sfx/widgets.py
    @@ -1,4 +1,5 @@
     from pylons import tmpl_context as c
    +from tg import request
     import formencode
     from formencode import validators as fev
     from formencode import schema as fes
    @@ -58,8 +59,12 @@ class _MailingListRow(ew.RowField):
     class ListAdmin(ew.SimpleForm):
         submit_text = 'Save'
    
    -    class fields(ew_core.NameList):
    -        lists = ew.TableField(field=_MailingListRow())
    +    @property
    +    def fields(self):
    +        return [
    +            ew.TableField(name='lists', field=_MailingListRow()),
    +            ew.HiddenField(name='_session_id', value=request.cookies['_session_id']),
    +        ]
    
     
  • Igor Bondarenko

    Igor Bondarenko - 2013-11-26
    • status: in-progress --> code-review
     
  • Igor Bondarenko

    Igor Bondarenko - 2013-11-26

    Closed #493. {allura,forge-classic}:je/42cc_5475 (allura force-pushed)

     
1 2 > >> (Page 1 of 2)

Log in to post a comment.