search

plone / Products.CMFPlone

The core of the Plone content management system
https://plone.org
GNU General Public License v2.0
245 stars 188 forks source link

CSRF detection has false positives #840

Closed umlaeute closed 9 years ago

umlaeute commented 9 years ago

Running Plone-5.0beta, I get the following error whenever I click a link for the first time (listing_view is the default view of bar):

Careful, it's possible someone is executing an exploit against you. Verify you
just performed an action on this site and that you were not referred here by a
different website or email.

Original URL
    http://example.com/foo/bar/listing_view

   [Confirm action]

When I click on Confirm action or go back and click the same link again, I can access the content (even in future sessions). I understand that this is some XSS-protection, but why is it triggered? Esp. when the access is totally legit?

vangheem commented 9 years ago

Which beta version? There have been many fixes related to auto csrf checking false positives lately.

It is triggered because something is doing a write on read that is not accounted for.

umlaeute commented 9 years ago

@thet should know

thet commented 9 years ago

It's Plone 5 b4

Aha, write on read ... I have to re-check, maybe this is caused by an addon.

vangheem commented 9 years ago

I can't reproduce this. There have been some recent CSRF auto protect fixes to plone.subrequest.

I'm going to close for now. Please re-open if this is still a problem on master.

thet commented 8 years ago

Confirmed. With new Plone 5, I cannot reproduce this issue either.

faustram commented 8 years ago

Hi, I had the same issue today using Plone-5.0-UnifiedInstaller-r1.tgz. I've created some Plone site instance to investigate, ever using advance wizard. I think this issue happen only when I select plone.app.multilingual for immediate activation on plone creation.

kj0317 commented 5 years ago

Hi, I had the same issue today using Plone-5.0-UnifiedInstaller-r1.tgz. I've created some Plone site instance to investigate, ever using advance wizard. I think this issue happen only when I select plone.app.multilingual for immediate activation on plone creation.

I know this thread is a few years old but I have just confirmed that my current installation and configuration still had the CSRF false positives. I'm using Plone 5.1.1, installed via Plone UnifiedInstaller, and have the following Addons installed:

-collective.easyform 2.0.0b7 -collective.themefragments 2.11.1 -collective.lineage 2.1.1 -plone.app.jquery 1.11.2 -collective.z3cform.datagridfield 1.2 -plone.session 2.7.0 -plone.app.mosaic 2.1.1 -collective.multitheme 1.0 -webcouturier.dropdownmenu 3.0.3 dev0 -medialog.iconpicker 0.6.4 -medialog.controlpanel 1.1.3 -plone.app.multilingual 5.1.4

Once I disabled plone.app.multilingual, I didn't receive another false positive CSRF protection page. Don't know why it was happening, but I didn't really NEED that addon anyways so I'm glad this is what fixed it. Hope my specific example helps someone else.