PrivateCoffee/travelynx
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

use a separate bad_request page for CSRF errors

Browse source
This commit is contained in:
Derf Null 2023-06-04 19:25:24 +02:00
parent 8cef56a940
commit c1635e24fb
No known key found for this signature in database
GPG key ID: 19E6E524EBB177BA
6 changed files with 77 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
lib/Travelynx/Controller/Account.pm
View file

@ -247,8 +247,9 @@ sub do_login {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render(
'login',
invalid => 'csrf',
'bad_request',
csrf => 1,
status => 400
);
}
else {
@ -288,8 +289,9 @@ sub register {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render(
'register',
invalid => 'csrf',
'bad_request',
csrf => 1,
status => 400
);
return;
}
@ -345,8 +347,9 @@ sub register {
# a human user should take at least five seconds to fill out the form.
# Throw a CSRF error at presumed spammers.
$self->render(
'register',
invalid => 'csrf',
'bad_request',
csrf => 1,
status => 400
);
return;
}
@ -408,8 +411,11 @@ sub delete {
my ($self) = @_;
my $uid = $self->current_user->{id};
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->flash( invalid => 'csrf' );
$self->redirect_to('account');
$self->render(
'bad_request',
csrf => 1,
status => 400
);
return;
}
@ -436,7 +442,11 @@ sub delete {
sub do_logout {
my ($self) = @_;
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( 'login', invalid => 'csrf' );
$self->render(
'bad_request',
csrf => 1,
status => 400
);
return;
}
$self->logout;
@ -503,8 +513,9 @@ sub social {
if ( $self->param('action') and $self->param('action') eq 'save' ) {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render(
'social',
invalid => 'csrf',
'bad_request',
csrf => 1,
status => 400
);
return;
}
@ -724,8 +735,9 @@ sub profile {
if ( $self->param('action') and $self->param('action') eq 'save' ) {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render(
'edit_profile',
invalid => 'csrf',
'bad_request',
csrf => 1,
status => 400
);
return;
}
@ -908,8 +920,9 @@ sub change_mail {
if ( $action and $action eq 'update_mail' ) {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render(
'change_mail',
invalid => 'csrf',
'bad_request',
csrf => 1,
status => 400
);
return;
}
@ -967,9 +980,9 @@ sub change_name {
if ( $action and $action eq 'update_name' ) {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render(
'change_name',
name => $old_name,
invalid => 'csrf',
'bad_request',
csrf => 1,
status => 400
);
return;
}
@ -1033,7 +1046,11 @@ sub change_password {
my $password2 = $self->req->param('newpw2');
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( 'change_password', invalid => 'csrf' );
$self->render(
'bad_request',
csrf => 1,
status => 400
);
return;
}
@ -1074,7 +1091,11 @@ sub request_password_reset {
if ( $self->param('action') and $self->param('action') eq 'initiate' ) {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( 'recover_password', invalid => 'csrf' );
$self->render(
'bad_request',
csrf => 1,
status => 400
);
return;
}
@ -1131,7 +1152,11 @@ sub request_password_reset {
my $password2 = $self->param('newpw2');
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( 'set_password', invalid => 'csrf' );
$self->render(
'bad_request',
csrf => 1,
status => 400
);
return;
}
if (

6
lib/Travelynx/Controller/Api.pm
View file

@ -567,7 +567,11 @@ sub import_v1 {
sub set_token {
my ($self) = @_;
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( 'account', invalid => 'csrf' );
$self->render(
'bad_request',
csrf => 1,
status => 400
);
return;
}
my $token = make_token();

5
lib/Travelynx/Controller/Traewelling.pm
View file

@ -15,8 +15,9 @@ sub settings {
and $self->validation->csrf_protect->has_error('csrf_token') )
{
$self->render(
'traewelling',
invalid => 'csrf',
'bad_request',
csrf => 1,
status => 400
);
return;
}

7
lib/Travelynx/Controller/Traveling.pm
View file

@ -1529,10 +1529,9 @@ sub visibility_form {
if ( $action eq 'save' ) {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render(
'edit_visibility',
error => 'csrf',
user_level => $user_level,
journey => {}
'bad_request',
csrf => 1,
status => 400
);
}
elsif ( $dep_ts and $dep_ts != $status->{sched_departure}->epoch ) {

9
templates/_invalid_input.html.ep
View file

@ -2,14 +2,7 @@
<div class="col s12">
<div class="card caution-color">
<div class="card-content white-text">
% if ($invalid eq 'csrf') {
<span class="card-title">Ungültiger CSRF-Token</span>
<p>Sind Cookies aktiviert? Ansonsten könnte es sich um einen
Fall von <a
href="https://de.wikipedia.org/wiki/Cross-Site-Request-Forgery">CSRF</a>
handeln.</p>
% }
% elsif ($invalid eq 'credentials') {
% if ($invalid eq 'credentials') {
<span class="card-title">Ungültige Logindaten</span>
<p>Falscher Account oder falsches Passwort.</p>
% }

19
templates/bad_request.html.ep Normal file
View file

@ -0,0 +1,19 @@
<div class="row">
<div class="col s12">
<div class="card caution-color">
<div class="card-content white-text">
<span class="card-title">400 Bad Request</span>
% if (stash('csrf')) {
<p>Ungültiger CSRF-Token. Dieser dient zum Schutz vor Cross-Site Request Forgery.</p>
<p>Falls du von einer externen Seite hierhin geleitet wurdest, wurde möglicherweise (erfolglos) versucht, deinen Account anzugreifen. Falls du von travelynx selbst aus hier angekommen bist, kann es sich um eine fehlerhafte Cookie-Konfiguration im Browser, eine abgelaufene Session (→ bitte nochmal versuchen) oder du einen Bug in travelynx handeln (→ bitte melden).</p>
% }
% elsif (my $m = stash('message')) {
<p><%= $m %></p>
% }
% else {
<p>Diese Anfrage ist ungültig. Ursache kann z.B. eine abgelaufene Session oder ein Bug in travelynx sein.</p>
% }
</div>
</div>
</div>
</div>