Open msimkunas opened 2 years ago
This issue will be closed and archived in 3 days, as there has been no activity in the last 60 days. If this issue is still relevant or you would like to see it actioned, please respond and we will re-open this issue. If this issue is critical to your business, consider joining the Premium Support Program where a Service Level Agreement is offered.
This issue will be closed and archived in 3 days, as there has been no activity in this issue for the last 6 months. If this issue is still relevant or you would like to see it actioned, please respond within 3 days. If this issue is critical for your business, please reach out to us at wintercms@luketowers.ca.
This issue will be closed and archived in 3 days, as there has been no activity in this issue for the last 6 months. If this issue is still relevant or you would like to see it actioned, please respond within 3 days. If this issue is critical for your business, please reach out to us at wintercms@luketowers.ca.
This issue will be closed and archived in 3 days, as there has been no activity in this issue for the last 6 months. If this issue is still relevant or you would like to see it actioned, please respond within 3 days. If this issue is critical for your business, please reach out to us at wintercms@luketowers.ca.
This issue will be closed and archived in 3 days, as there has been no activity in this issue for the last 6 months. If this issue is still relevant or you would like to see it actioned, please respond within 3 days. If this issue is critical for your business, please reach out to us at wintercms@luketowers.ca.
Winter CMS Build
dev-develop
PHP Version
7.4
Database engine
MySQL/MariaDB
Plugins installed
No response
Issue description
Frontend AJAX handlers currently do not have CSRF protection enabled.
As per discussion with @LukeTowers, this could be rectified by hooking into the
cms.ajax.beforeRunHandler
event and checking the token with theverifyCsrfToken()
controller method. Care should be taken to prioritize your event listener so that it runs first.@LukeTowers mentioned he is open to the idea of implementing this in Winter. Could this be an opt-in feature (configurable via
enableAjaxCsrfProtection
or something along those lines)?This issue is also documented here:
https://github.com/octobercms/october/issues/696 https://github.com/octobercms/october/issues/3599
Also relevant:
https://github.com/wintercms/winter/commit/260e1f503fe18588f099de5efc928cfe941eed77 https://github.com/wintercms/winter/commit/8da798a5cd2f5f640719550eebebc03e9a9d29d1
Steps to replicate
The server accepts an AJAX request even if it contains an invalid CSRF token.
Workaround
As a temporary workaround, one could register a
cms.ajax.beforeRunHandler
listener in a custom plugin: