Item2497: Add strikeone protection also for the register case
Current State: Closed
Released In: 1.0.9
Target Release: patch
Applies To: Engine
Not a huge security issue
But adding strikeone protection also to the register case (none-bulk) we get a good protection against bot registrations and should have been added when we added the same protection for save and attach. Anything that saves information should be strikeone protected. Bulk registration is limited to admins so it can be unprotected.
It is one code line.
I also found some code that was a bit weak in robustness. If you register and hack the action parameter to nothing the code that handles register continues further than it needs to even if registration is disabled. Later some other code catches it preventing an attack. Better to have robust code so now the register without action gives a negeric oops.
I reused a generic message so we avoid a new translation. It is a message users should never see unless they play with development plugins for their webbrowser.
The change to requireing magic number + strikeone if enabled means that BlackListPlugin
will not need this feature anymore. I will therefore remove this feature from that plugin.
We can argue if this is a new feature or a bug. It is both. When we introduced the CSRF protection we started with normal save. Then we added protection for attachments. It is natural that same protection should prevent bot from creating users. It was ONE code line in core to add the feature. The rest was already there as standard mechanism. So I choose to include this also in 1.0.9
- 11 Dec 2009