You are here: Foswiki>Tasks Web>Item2497 (17 Jan 2010, PaulHarvey)Edit Attach

Item2497: Add strikeone protection also for the register case

Priority: Enhancement
Current State: Closed
Released In: 1.0.9
Target Release: patch
Applies To: Engine
Reported By: KennethLavrsen
Waiting For:
Last Change By: PaulHarvey
Not a huge security issue

But adding strikeone protection also to the register case (none-bulk) we get a good protection against bot registrations and should have been added when we added the same protection for save and attach. Anything that saves information should be strikeone protected. Bulk registration is limited to admins so it can be unprotected.

It is one code line.

I also found some code that was a bit weak in robustness. If you register and hack the action parameter to nothing the code that handles register continues further than it needs to even if registration is disabled. Later some other code catches it preventing an attack. Better to have robust code so now the register without action gives a negeric oops.

I reused a generic message so we avoid a new translation. It is a message users should never see unless they play with development plugins for their webbrowser.

The change to requireing magic number + strikeone if enabled means that BlackListPlugin will not need this feature anymore. I will therefore remove this feature from that plugin.

We can argue if this is a new feature or a bug. It is both. When we introduced the CSRF protection we started with normal save. Then we added protection for attachments. It is natural that same protection should prevent bot from creating users. It was ONE code line in core to add the feature. The rest was already there as standard mechanism. So I choose to include this also in 1.0.9

-- KennethLavrsen - 11 Dec 2009

ItemTemplate edit

Summary Add strikeone protection also for the register case
ReportedBy KennethLavrsen
Codebase 1.0.8, trunk
SVN Range
AppliesTo Engine
Priority Enhancement
CurrentState Closed
Checkins distro:18068adb8a6d distro:fb519a813d2a distro:6583c0078f11 distro:549d511284f0
TargetRelease patch
ReleasedIn 1.0.9
Topic revision: r7 - 17 Jan 2010, PaulHarvey
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy