Item2128: Item2115 (upload CSRF) needs merging to trunk
Current State: Closed
Released In: 1.1.0
Target Release: minor
Applies To: Engine
Also the unit tests are currently banjaxed. The workaround we have in 1.0.7 is OK, but not a long term solution IMHO.
The problem is this:
- User visits Attach screen, enters name of file and hits Upload
- Request is sent with the token from the Attach screen
- Server processes request, expires the token, and uploads the file
- User hits "back" in browser to get back to the Attach screen.
- User enters a new filename and hits Upload
- Request is sent with the original (now expired) token from the Attach screen
- Server sees the key is invalid, and redirects to the confirmation screen by 302
- The redirect caches the request, but does not cache the uploaded file
- when the upload request finishes, the file is removed during DESTROY
- User gets the OK/Cancel confirmation dialog and hits OK
- The file has gone from the server (in step 7) so the upload fails
In step 7 we need to be able to cache the uploaded file, but there are a couple of problems with doing that:
- Uploaded files can be very big, and caching the already cached upload could push the server to its limits
- Expiring redirect caches becomes more complex than simply deleting the files; now we would have to locate and remove any cached uploads.
Obviously you can get around this by clearing
, but that's not a great idea as it weakens the protection considerably.
- 21 Sep 2009
Thinking about it more. If you cache the file on the server, then you are opening a potential hole that could be exploited by filling up the disk with cache files to DoS or otherwise kill the server. So it might be better to reject the request on a validation failure. If you do that, then no upload can happen without a minty fresh validation code.
Merged and closed.
- 16 Nov 2009
Re-opened to fix a bug in the fix. Testing a hashref using
if( $hashref )
will always return true, one has to explicitely bind it to a hash to test its content.
Also cleaned up the useless(?) global $uploads, and the default loading of Data::Dumper (to save performance and memory).
- 18 Nov 2009