diff options
| author | Derf Null <derf@finalrewind.org> | 2023-06-04 19:25:24 +0200 |
|---|---|---|
| committer | Derf Null <derf@finalrewind.org> | 2023-06-04 19:25:24 +0200 |
| commit | c1635e24fb78d981a790463cfe35ba552bcaac04 (patch) | |
| tree | 64a3aeff358c6b56663ee01be27713f036d89918 | |
| parent | 8cef56a94033c9b4784026e8e809c03beb59db8b (diff) | |
use a separate bad_request page for CSRF errors
| -rw-r--r-- | lib/Travelynx/Controller/Account.pm | 67 | ||||
| -rwxr-xr-x | lib/Travelynx/Controller/Api.pm | 6 | ||||
| -rw-r--r-- | lib/Travelynx/Controller/Traewelling.pm | 5 | ||||
| -rwxr-xr-x | lib/Travelynx/Controller/Traveling.pm | 7 | ||||
| -rw-r--r-- | templates/_invalid_input.html.ep | 9 | ||||
| -rw-r--r-- | templates/bad_request.html.ep | 19 |
6 files changed, 77 insertions, 36 deletions
diff --git a/lib/Travelynx/Controller/Account.pm b/lib/Travelynx/Controller/Account.pm index db8c92b..511f764 100644 --- a/lib/Travelynx/Controller/Account.pm +++ b/lib/Travelynx/Controller/Account.pm @@ -247,8 +247,9 @@ sub do_login { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'login', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); } else { @@ -288,8 +289,9 @@ sub register { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'register', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } @@ -345,8 +347,9 @@ sub register { # a human user should take at least five seconds to fill out the form. # Throw a CSRF error at presumed spammers. $self->render( - 'register', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } @@ -408,8 +411,11 @@ sub delete { my ($self) = @_; my $uid = $self->current_user->{id}; if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->flash( invalid => 'csrf' ); - $self->redirect_to('account'); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } @@ -436,7 +442,11 @@ sub delete { sub do_logout { my ($self) = @_; if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->render( 'login', invalid => 'csrf' ); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } $self->logout; @@ -503,8 +513,9 @@ sub social { if ( $self->param('action') and $self->param('action') eq 'save' ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'social', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } @@ -724,8 +735,9 @@ sub profile { if ( $self->param('action') and $self->param('action') eq 'save' ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'edit_profile', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } @@ -908,8 +920,9 @@ sub change_mail { if ( $action and $action eq 'update_mail' ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'change_mail', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } @@ -967,9 +980,9 @@ sub change_name { if ( $action and $action eq 'update_name' ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'change_name', - name => $old_name, - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } @@ -1033,7 +1046,11 @@ sub change_password { my $password2 = $self->req->param('newpw2'); if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->render( 'change_password', invalid => 'csrf' ); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } @@ -1074,7 +1091,11 @@ sub request_password_reset { if ( $self->param('action') and $self->param('action') eq 'initiate' ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->render( 'recover_password', invalid => 'csrf' ); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } @@ -1131,7 +1152,11 @@ sub request_password_reset { my $password2 = $self->param('newpw2'); if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->render( 'set_password', invalid => 'csrf' ); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } if ( diff --git a/lib/Travelynx/Controller/Api.pm b/lib/Travelynx/Controller/Api.pm index 0410fc6..0382ba8 100755 --- a/lib/Travelynx/Controller/Api.pm +++ b/lib/Travelynx/Controller/Api.pm @@ -567,7 +567,11 @@ sub import_v1 { sub set_token { my ($self) = @_; if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->render( 'account', invalid => 'csrf' ); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } my $token = make_token(); diff --git a/lib/Travelynx/Controller/Traewelling.pm b/lib/Travelynx/Controller/Traewelling.pm index 31f4a84..71df7f1 100644 --- a/lib/Travelynx/Controller/Traewelling.pm +++ b/lib/Travelynx/Controller/Traewelling.pm @@ -15,8 +15,9 @@ sub settings { and $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'traewelling', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } diff --git a/lib/Travelynx/Controller/Traveling.pm b/lib/Travelynx/Controller/Traveling.pm index 5483e00..80214ab 100755 --- a/lib/Travelynx/Controller/Traveling.pm +++ b/lib/Travelynx/Controller/Traveling.pm @@ -1529,10 +1529,9 @@ sub visibility_form { if ( $action eq 'save' ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'edit_visibility', - error => 'csrf', - user_level => $user_level, - journey => {} + 'bad_request', + csrf => 1, + status => 400 ); } elsif ( $dep_ts and $dep_ts != $status->{sched_departure}->epoch ) { diff --git a/templates/_invalid_input.html.ep b/templates/_invalid_input.html.ep index 6b0fb65..f8c4e2f 100644 --- a/templates/_invalid_input.html.ep +++ b/templates/_invalid_input.html.ep @@ -2,14 +2,7 @@ <div class="col s12"> <div class="card caution-color"> <div class="card-content white-text"> - % if ($invalid eq 'csrf') { - <span class="card-title">Ungültiger CSRF-Token</span> - <p>Sind Cookies aktiviert? Ansonsten könnte es sich um einen - Fall von <a - href="https://de.wikipedia.org/wiki/Cross-Site-Request-Forgery">CSRF</a> - handeln.</p> - % } - % elsif ($invalid eq 'credentials') { + % if ($invalid eq 'credentials') { <span class="card-title">Ungültige Logindaten</span> <p>Falscher Account oder falsches Passwort.</p> % } diff --git a/templates/bad_request.html.ep b/templates/bad_request.html.ep new file mode 100644 index 0000000..5d401da --- /dev/null +++ b/templates/bad_request.html.ep @@ -0,0 +1,19 @@ +<div class="row"> + <div class="col s12"> + <div class="card caution-color"> + <div class="card-content white-text"> + <span class="card-title">400 Bad Request</span> + % if (stash('csrf')) { + <p>Ungültiger CSRF-Token. Dieser dient zum Schutz vor Cross-Site Request Forgery.</p> + <p>Falls du von einer externen Seite hierhin geleitet wurdest, wurde möglicherweise (erfolglos) versucht, deinen Account anzugreifen. Falls du von travelynx selbst aus hier angekommen bist, kann es sich um eine fehlerhafte Cookie-Konfiguration im Browser, eine abgelaufene Session (→ bitte nochmal versuchen) oder du einen Bug in travelynx handeln (→ bitte melden).</p> + % } + % elsif (my $m = stash('message')) { + <p><%= $m %></p> + % } + % else { + <p>Diese Anfrage ist ungültig. Ursache kann z.B. eine abgelaufene Session oder ein Bug in travelynx sein.</p> + % } + </div> + </div> + </div> +</div> |