Development

#1925 (sfCSRFPlugin incompatible with XMLHttpRequest)

You must first sign up to be able to contribute.

Ticket #1925 (new defect)

Opened 1 year ago

Last modified 5 months ago

sfCSRFPlugin incompatible with XMLHttpRequest

Reported by: Goulwen.REBOUX Assigned to: fabien
Priority: minor Milestone: plugins
Component: sfCSRFPlugin Version: 1.0.0
Keywords: XMLHttpRequest Cc:
Qualification: Unreviewed

Description

when using the Ajax autocompleter, the response is always an error 500 with the exception "CSRF attack detected." as the javascript script that launch the request doesn't have the _csrf_token.

Change History

07/04/07 16:01:21 changed by Goulwen.REBOUX

Here's some partial solutions in order to be able to do XMLHttpRequest with sfCSRFPlugin: * as the filter only check datas posted with POST method, change the method to GET. It works with link_to_remote() helper for example, but not for the input_auto_complete_tag() helper that doesn't support changing the method. * so change to sfCSRFFilter.class.php in the plugin/lib/ directory and add after the last line the following regular expression: 

$response->setContent(preg_replace('#(new Ajax.Autocompleter\(\'(\w)+\', \'(\w)+\', \'(\/|\.|\w)+)#i', '$1/_csrf_token/'.md5($secret.session_id()), $response->getContent()));

07/05/07 10:26:47 changed by Goulwen.REBOUX

The regular expression given in the previous message doesn't work as expected in some case. Here's a better one: 

$response->setContent(preg_replace('#(new Ajax.Autocompleter\()(\'[\w|\d|_]+)(\', )(\'[\w|\d|_]+)(\', )(\'\/[\w|\d|\-|_|\/|\.]+)#i', '$1$2$3$4$5$6/_csrf_token/' .md5($secret.session_id()). '$7', $response->getContent()));

03/03/08 16:46:00 changed by Pierrick

  • qualification set to Unreviewed.

Using the same method, you can add this code to pass Ajax.Request with post method : 

$response->setContent(preg_replace('#(new Ajax.Request\()(\'\/[\w|\d|\-|_|\/|\.]+)#i', '$1$2/_csrf_token/' .md5($secret.session_id()). '$3', $response->getContent()));