From c1635e24fb78d981a790463cfe35ba552bcaac04 Mon Sep 17 00:00:00 2001 From: Derf Null Date: Sun, 4 Jun 2023 19:25:24 +0200 Subject: use a separate bad_request page for CSRF errors --- lib/Travelynx/Controller/Account.pm | 67 ++++++++++++++++++++++----------- lib/Travelynx/Controller/Api.pm | 6 ++- lib/Travelynx/Controller/Traewelling.pm | 5 ++- lib/Travelynx/Controller/Traveling.pm | 7 ++-- 4 files changed, 57 insertions(+), 28 deletions(-) (limited to 'lib') diff --git a/lib/Travelynx/Controller/Account.pm b/lib/Travelynx/Controller/Account.pm index db8c92b..511f764 100644 --- a/lib/Travelynx/Controller/Account.pm +++ b/lib/Travelynx/Controller/Account.pm @@ -247,8 +247,9 @@ sub do_login { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'login', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); } else { @@ -288,8 +289,9 @@ sub register { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'register', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } @@ -345,8 +347,9 @@ sub register { # a human user should take at least five seconds to fill out the form. # Throw a CSRF error at presumed spammers. $self->render( - 'register', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } @@ -408,8 +411,11 @@ sub delete { my ($self) = @_; my $uid = $self->current_user->{id}; if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->flash( invalid => 'csrf' ); - $self->redirect_to('account'); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } @@ -436,7 +442,11 @@ sub delete { sub do_logout { my ($self) = @_; if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->render( 'login', invalid => 'csrf' ); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } $self->logout; @@ -503,8 +513,9 @@ sub social { if ( $self->param('action') and $self->param('action') eq 'save' ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'social', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } @@ -724,8 +735,9 @@ sub profile { if ( $self->param('action') and $self->param('action') eq 'save' ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'edit_profile', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } @@ -908,8 +920,9 @@ sub change_mail { if ( $action and $action eq 'update_mail' ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'change_mail', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } @@ -967,9 +980,9 @@ sub change_name { if ( $action and $action eq 'update_name' ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'change_name', - name => $old_name, - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } @@ -1033,7 +1046,11 @@ sub change_password { my $password2 = $self->req->param('newpw2'); if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->render( 'change_password', invalid => 'csrf' ); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } @@ -1074,7 +1091,11 @@ sub request_password_reset { if ( $self->param('action') and $self->param('action') eq 'initiate' ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->render( 'recover_password', invalid => 'csrf' ); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } @@ -1131,7 +1152,11 @@ sub request_password_reset { my $password2 = $self->param('newpw2'); if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->render( 'set_password', invalid => 'csrf' ); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } if ( diff --git a/lib/Travelynx/Controller/Api.pm b/lib/Travelynx/Controller/Api.pm index 0410fc6..0382ba8 100755 --- a/lib/Travelynx/Controller/Api.pm +++ b/lib/Travelynx/Controller/Api.pm @@ -567,7 +567,11 @@ sub import_v1 { sub set_token { my ($self) = @_; if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->render( 'account', invalid => 'csrf' ); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } my $token = make_token(); diff --git a/lib/Travelynx/Controller/Traewelling.pm b/lib/Travelynx/Controller/Traewelling.pm index 31f4a84..71df7f1 100644 --- a/lib/Travelynx/Controller/Traewelling.pm +++ b/lib/Travelynx/Controller/Traewelling.pm @@ -15,8 +15,9 @@ sub settings { and $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'traewelling', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } diff --git a/lib/Travelynx/Controller/Traveling.pm b/lib/Travelynx/Controller/Traveling.pm index 5483e00..80214ab 100755 --- a/lib/Travelynx/Controller/Traveling.pm +++ b/lib/Travelynx/Controller/Traveling.pm @@ -1529,10 +1529,9 @@ sub visibility_form { if ( $action eq 'save' ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'edit_visibility', - error => 'csrf', - user_level => $user_level, - journey => {} + 'bad_request', + csrf => 1, + status => 400 ); } elsif ( $dep_ts and $dep_ts != $status->{sched_departure}->epoch ) { -- cgit v1.2.3