[GSoC] problem with tokens in my Google Summer of Code
97 views
Skip to first unread message
Javier Gómez
Aug 15, 2012, 8:07:50 PM8/15/12
to joomla-...@googlegroups.com
Hi,
In the part two of my Google Summer of Code project you are available to install languages in Joomla! CMS during the installation process.
You will have a better understanding if you watch this 4 minutes video that explains what the project does: http://www.youtube.com/watch?v=jufj5kCT6Uw
This is my Alpha2 release that "almost" works. But I need your help with an issue that I don't know how to solve.
The problem is in file /installation/controllers/setup.json.php, in lines:
509 JSession::checkToken('request') or $this->sendResponse(new Exception(JText::_('JINVALID_TOKEN'), 403));
574 JSession::checkToken('request') or $this->sendResponse(new Exception(JText::_('JINVALID_TOKEN'), 403));
If you comment this lines It works. But the right solution should check the tokens to prevent atacks (see: http://docs.joomla.org/How_to_add_CSRF_anti-spoofing_to_forms). The checktoken() doesn't work because the two tokens are different. Why? I don't know, and that is the problem ^_^
Please feel free to test it:
Files:
- install the ready to test "joomla distro" (a complete Joomla! distro that includes the feature): https://dl.dropbox.com/u/1648056/GSOC2012/part2/tokenbug/joomla-distro-language_installer-alpha2.zip
- Or use the "Git Patch" (test it against 2.5.x joomla-cms branch in Github): https://dl.dropbox.com/u/1648056/GSOC2012/part2/tokenbug/joomla-distro-language_installer-alpha2.gitpatch
- Or get the code directly from my Github branch: https://github.com/javigomez/GSOC-Installation/tree/languageinstaller-installation-2.5.x
Ole Ottosen (ot2sen)
Aug 16, 2012, 2:53:40 AM8/16/12
to joomla-...@googlegroups.com
Hi Javier,
Exciting stuff! Did a quick test to just see how one of the most important features in years were progressing.
Was so great to see the list of languages to choose from. Did I say it was exciting :D
I did meet the roadblock you mention of a token, and cant give much valid feedback with my "color blind" understanding of code...
But maybe, just maybe it could be that this new action need to be in installation.js too?
Note: I didnt have sound when watching the video, so it could be you mentioned it. They langauges steps will be adde before the current 'Finish' step, right? Right now having the button below the 'Remove folder' button' is sort of riski, as it is tempting to click remove first.
Keep up the good work Javier!
Cheers,
Ole
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/QHK7zLWnvAIJ.
To post to this group, send an email to joomla-...@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-cm...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/joomla-dev-cms?hl=en-GB.
Javier Gómez
Aug 16, 2012, 10:56:50 AM8/16/12
to joomla-...@googlegroups.com
Hi Ole,
That is a very good point. I have already take care of it, If the user clicks in "remove folder" the installation.js has a new line that will make the "install languages" button inactive.
Thanks very much for your nice words. I'm really excited also, I think that this feature could help a lot of non-native english speakers.
You said:
Right now having the button below the 'Remove folder' button' is sort of riski, as it is tempting to click remove first.
You said:
But maybe, just maybe it could be that this new action need to be in installation.js too?
Mmm that has sense, I will investigate there. Thanks
Thanks again.
Javier Gómez
Aug 17, 2012, 4:30:26 PM8/17/12
to joomla-...@googlegroups.com
I found the solution.
The problem was that the tokes where different: https://dl.dropbox.com/u/1648056/GSOC2012/part2/tokenbug/problem1.png
And they where different because Joomla! uses the configuration.php "secret word" to build the hash of the token (this make your tokens different from other installations even if you session id):
The configuration depends on the application. During installation in Joomla! there is no configuration.php, so there is not "secret word". And in my language installation I'm using the just created "configuration.php" to be able to use the JUpdater and other classes that needs the main configuration file.
So I just did that:
public function installLanguages()
{
+ JFactory::$config = null;
+ JFactory::getConfig(JPATH_SITE . '/configuration.php');
+ JFactory::$session = null;
// Check for a valid token. If invalid, send a 403 with the error message.
JSession::checkToken() or $this->sendResponse(new Exception(JText::_('JINVALID_TOKEN'), 403));
That makes Joomla! to reload the config including the configuration.php information.
By now it looks like a hack, maybe doesn't look bad for you. I was wondering if any of you have any idea of how to make it look better?
Thanks everyone
Matt Thomas
Aug 17, 2012, 4:46:57 PM8/17/12
to joomla-...@googlegroups.com
That's awesome that you found a solution. I suspect sharing that might help others too.
Wish I could lend more than that as this is far beyond me :-)
Best,
Matt Thomas
Happy to see this progressing further!
Best,
Matt Thomas
Founder betweenbrain™
Lead Developer Construct Template Development Framework
Phone: 203.632.9322
Twitter: @betweenbrain
Twitter: @betweenbrain
Github: https://github.com/betweenbrain
To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/oIOhreDSr4gJ.
Reply all
Reply to author
Forward
0 new messages