Changeset 7310

Timestamp:

05/02/10 07:19:36 (2 years ago)

Author:

CrawfordCurrie

Message:

Item1945: change CSRF confirmation 302 to an absolute URL and incorporate Babar's explanation for 419. Thx to MartinVonGagern and OlivierRaginel.

Location:

trunk/core/lib/Foswiki

Files:

• UI.pm (modified) (1 diff)
• Validation.pm (modified) (1 diff)

trunk/core/lib/Foswiki/UI.pm

@@ -319 +319 @@
         print STDERR "ValidationException: redirect with $uid\n";
 
-        # We use the login script for
-        # validation because it already has the correct criteria
-        # in httpd.conf for Apache login.
+        # We use the login script for validation because it already
+        # has the correct criteria in httpd.conf for Apache login.
+        # URL is absolute as required by
+        # http://tools.ietf.org/html/rfc2616#section-14.30
         my $url = $session->getScriptUrl(
-            0, 'login',
+            1, 'login',
             $session->{webName}, $session->{topicName},
             foswikiloginaction => 'validate',

trunk/core/lib/Foswiki/Validation.pm

@@ -281 +281 @@
           ."\n" if TRACE;
 
-        # prompt for user verification - code 419 chosen by foswiki devs
+        # Prompt for user verification - code 419 chosen by foswiki devs.
+        # None of the defined HTTP codes describe what is really happening,
+        # which is why we chose a "new" code. The confirmation page
+        # isn't a conflict, not a security issue, and we cannot use 403
+        # because there is a high probability this would get caught by
+        # Apache to send back the Registation page. We didn't want any
+        # installation to catch the HTTP return code we were sending back,
+        # as we need this page to arrive intact to the user, otherwise
+        # they won't be able to do anything. 419 is a placebo, and if it
+        # is ever defined can be replaced by any other undefined 4xx code.
         $session->{response}->status(419);