Foswiki on GitHub is open for business! Next release meeting: Monday September 29, 1300Z

Item2497: Add strikeone protection also for the register case

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Enhancement Closed Engine    
Not a huge security issue

But adding strikeone protection also to the register case (none-bulk) we get a good protection against bot registrations and should have been added when we added the same protection for save and attach. Anything that saves information should be strikeone protected. Bulk registration is limited to admins so it can be unprotected.

It is one code line.

I also found some code that was a bit weak in robustness. If you register and hack the action parameter to nothing the code that handles register continues further than it needs to even if registration is disabled. Later some other code catches it preventing an attack. Better to have robust code so now the register without action gives a negeric oops.

I reused a generic message so we avoid a new translation. It is a message users should never see unless they play with development plugins for their webbrowser.

The change to requireing magic number + strikeone if enabled means that BlackListPlugin will not need this feature anymore. I will therefore remove this feature from that plugin.

We can argue if this is a new feature or a bug. It is both. When we introduced the CSRF protection we started with normal save. Then we added protection for attachments. It is natural that same protection should prevent bot from creating users. It was ONE code line in core to add the feature. The rest was already there as standard mechanism. So I choose to include this also in 1.0.9

-- KennethLavrsen - 11 Dec 2009

ItemTemplate edit

Summary Add strikeone protection also for the register case
ReportedBy KennethLavrsen
Codebase 1.0.8, trunk
SVN Range
AppliesTo Engine
Component
Priority Enhancement
CurrentState Closed
WaitingFor
Checkins Foswikirev:5778 Foswikirev:5779 Foswikirev:5780 Foswikirev:5781
TargetRelease patch
ReleasedIn 1.0.9
Topic revision: r7 - 17 Jan 2010, PaulHarvey
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License