Anthony
Apr 28, 2013, 11:43:39 PM4/28/13
to web2py-d...@googlegroups.com
I'm not sure if this is a real vulnerability, but I noticed that the code that checks the _formkey in the .accepts() method of FORM looks like this:
So, even if you call form.accepts(request, session), if the session happens to be empty at that point, the code will not check whether the form includes a _formkey and whether that _formkey exists in the session. This means if you send a post request without sending a session cookie (or with a tampered cookie-based session), the _formkey check will be skipped and the submission will be allowed (assuming nothing else gets added to the session during the request and the action doesn't require login). I'm not sure there's really any circumstance in which this can be exploited, but to be safe, should we change the code to something like:
if session:
formkey = session.get('_formkey[%s]' % formname, None)
# check if user tampering with form and void CSRF
if formkey != request_vars._formkey:
status = False
So, even if you call form.accepts(request, session), if the session happens to be empty at that point, the code will not check whether the form includes a _formkey and whether that _formkey exists in the session. This means if you send a post request without sending a session cookie (or with a tampered cookie-based session), the _formkey check will be skipped and the submission will be allowed (assuming nothing else gets added to the session during the request and the action doesn't require login). I'm not sure there's really any circumstance in which this can be exploited, but to be safe, should we change the code to something like:
if session is not None:
formkey = session.get('_formkey[%s]' % formname, None)
# check if user tampering with form and void CSRF
if not formkey or formkey != request_vars._formkey:
status = FalseThat way, whenever you pass the session to .accepts(), submission will fail unless the form contains a _formkey and that _formkey is in the session.
Anthony
Massimo DiPierro
Apr 29, 2013, 12:04:52 AM4/29/13
to web2py-d...@googlegroups.com
Auch! In trunk.
--
-- mail from:GoogleGroups "web2py-developers" mailing list
make speech: web2py-d...@googlegroups.com
unsubscribe: web2py-develop...@googlegroups.com
details : http://groups.google.com/group/web2py-developers
the project: http://code.google.com/p/web2py/
official : http://www.web2py.com/
---
You received this message because you are subscribed to the Google Groups "web2py-developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py-develop...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages