Need CSRF token and POST request for creating and deleting comments

[tsparksh]

Please describe the problem (or idea)

What happened just before the problem occurred? Or what problem could this idea solve? Comments can be created or deleted without checking the CSRF token with GET request

SImple payload:

<div><img src="https://publiclab.org/comment/answer_create/1254?body=csrf" id="img"></div>
<script>
    var img = document.getElementById("img");
    img.parentNode.removeChild(img);
</script>

Where 1254 - Answer id

Please show us where to look

https://publiclab.org/

What's your PublicLab.org username?

catimail123

Browser, version, and operating system

Any browser, any system

---

[jywarren]

Hi, Thank you for this issue! It's a good idea. Do you think you could delete your comments from the live site? I think if you wanted to test this out, you can use https://stable.publiclab.org, which is not our production site.

Adding a token shouldn't be too hard, and I agree it's a good idea!

I would check out the comment_controller.rb file, and this documentation for how to ensure we require a CSRF token in those routes: https://guides.rubyonrails.org/security.html#csrf-countermeasures

Thank you!

On Wed, Nov 14, 2018 at 10:46 AM Sparks notifications@github.com wrote:

Please describe the problem (or idea)

What happened just before the problem occurred? Or what problem could this idea solve? Comments can be created or deleted without checking the CSRF token with GET request [image: deepin-screen-recorder_select area_20181114223701] https://user-images.githubusercontent.com/17945250/48493423-5c6cbc80-e85e-11e8-9246-965488dc8151.gif

SImple payload:

Where 1254 - Answer id

Please show us where to look

https://publiclab.org/ What's your PublicLab.org username?

catimail123 Browser, version, and operating system

Any browser, any system

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/publiclab/plots2/issues/3966, or mute the thread https://github.com/notifications/unsubscribe-auth/AABfJ2BKhAKBDKlNt-bTDaWq7jvo3v-Rks5uvDrLgaJpZM4YeA9_ .

[tsparksh]

Thank you! Sorry I missed a few. Deleted.

[jywarren]

awesome. and great work here!

On Wed, Nov 14, 2018 at 11:15 AM Sparks notifications@github.com wrote:

Thanks for the link! I deleted comments as soon as I stopped recording gif.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/publiclab/plots2/issues/3966#issuecomment-438720526, or mute the thread https://github.com/notifications/unsubscribe-auth/AABfJ9r29fZtbrqgSZJh3FCSYtaZrXomks5uvEF-gaJpZM4YeA9_ .

[tsparksh]

Also I guess csrf token is needув for likes and dislikes It also using get request now (like https://publiclab.org/likes/node/123/create)

Anyone can do this?

[jywarren]

yes, we'd love help with this!

On Thu, Nov 15, 2018 at 6:03 AM Sparks notifications@github.com wrote:

Also I guess csrf token is need for likes and dislikes It also using get request now (like https://publiclab.org/likes/node/123/create)

Anyone can do this?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/publiclab/plots2/issues/3966#issuecomment-439002430, or mute the thread https://github.com/notifications/unsubscribe-auth/AABfJ_7SeFWnowUxXGOrav0ZyeHwTIw5ks5uvUnkgaJpZM4YeA9_ .

[grvsachdeva]

Hi @thesparks would you like to solve this one? Thanks!

[tsparksh]

I'm not very good at ruby, I think it's better to someone else to do it.

24 дек. 2018 г., в 0:50, Gaurav Sachdeva notifications@github.com написал(а):

Hi @thesparks would you like to solve this one?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[grvsachdeva]

Okay, thanks!