Not signed in (Sign In)
 
Aug 8th 2008 edited
 
CSRF validation keys can be both missing from the request and the session

$PostBackKey = ForceIncomingString('PostBackKey', '');
$ExtensionKey = ForceIncomingString('ExtensionKey', '');
$RequestName = ForceIncomingString('RequestName', '');
if ($PostBackKey != $Context->Session->GetVariable('SessionPostBackKey', 'string')) {
...


It should be like:

if ($PostBackKey != '' && $PostBackKey != $Context->Session->GetVariable('SessionPostBackKey', 'string')) {
 
Aug 8th 2008
 
Fixed vanilla r713

In revision 714, I am adding a method to the session class to retrieve the key. It create the session key if needed and make the getting the key easier.:

/**
* Return the key used for CSRF protection.
* @return String
*/
function GetCsrfValidationKey() {
$Key = $this->GetVariable('SessionPostBackKey', 'string');
if ($Key == '') {
$Key = DefineVerificationKey();
$this->SetVariable('SessionPostBackKey', $Key);
}
return $Key;
}

Vanilla r714, People r98, Framework r153

Issue information

  • 6
  • Dinoboff

    Dinoboff

    Bug Tracker

  • Resolved
  • Medium
  • Bug

Vanilla 1.1.5 is a product of Lussumo. More Information: Documentation, Community Support.