berdario
commented
8 years ago Is there a reason why you haven't used the builtin protection offered by Grails, btw? That's not affected by this bug
Closed berdario closed 8 years ago
berdario
commented
8 years ago Is there a reason why you haven't used the builtin protection offered by Grails, btw? That's not affected by this bug
sheehan
commented
8 years ago My bad. Will be fixed in the next version. withForm is for a single form submission from a gsp, the console plugin is doing many async calls from JavaScript.
berdario
commented
8 years ago Ok, thank you
Indeed, withForm is not a great name, but it only means that it expects the csrf tokens to be provided in the POST body (instead of via an header), as such you can use it just as well for xhr from Javascript
berdario
commented
8 years ago I added a small comment https://github.com/sheehan/grails-console/commit/1edba78770d709b8117dffcce339d1486a3474cf#commitcomment-18519584
I see that you added a fix, but you haven't closed yet this issue... I gather that there's more that you want to fix?
sheehan
commented
8 years ago I was just waiting until i had time to release. Thanks for reporting the issue
I'm afraid that the issue hasn't been fixed properly. I realized it today after deploying your new release.
You can try: login (or simply visit in a barebone new grails application) the main app website, but DON'T visit the console. Trigger the poc I sent you the last time, and you'll see that it'll still work. After accessing the console the protection will be effective and the poc will stop working.
I suspect that the reason might be the
request.getHeader('X-CSRFToken') != session['CONSOLE_CSRF_TOKEN'])check.If the console hasn't been visited yet, there will be no
CONSOLE_CSRF_TOKENin the session, and thus both side of the equations will benull, letting the check pass.