Project

General

Profile

Actions

Todo #9799

closed

Create custom CSRF callback page with proper theme & more warnings

Added by Jim Pingle about 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Web Interface
Target version:
Start date:
09/27/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

When a user triggers a CSRF error, either by accident (e.g. sitting on the login page for hours without submitting, then trying to log in), or by malicious means (e.g. unintentional submission from a malicious page), the presented page has two issues:

1. It's a plain/default page from CSRF magic, not themed to match pfSense
2. There is not enough warning text about submitting the "Try Again" button, since it may cause harm

The page can be customized by defining a custom callback function, as described in the CSRF Magic docs: https://github.com/ezyang/csrf-magic/blob/master/README.txt#L102

The configuration/function can be defined in guiconfig.inc before the include of CSRF Magic happens.

Actions #1

Updated by Jim Pingle about 2 years ago

CSRF Magic prevents attacks like the one described at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16667 -- but as with ANY action prevented by CSRF, if the user willingly chooses to resubmit the form, then the attack can still proceed.

Actions #2

Updated by Jim Pingle about 2 years ago

I just pushed the first pass at this. It functions, but could use some design work.

I'm considering removing the resubmit function at all, replacing it with a button/link to return to the previous page, if anything at all. While many times this error is encountered innocuously, the danger may not be worth allowing resubmission.

Actions #3

Updated by Jim Pingle about 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Jim Pingle almost 2 years ago

  • Target version changed from 2.5.0 to 2.4.5
Actions #5

Updated by Jim Pingle almost 2 years ago

  • Status changed from Feedback to Resolved

This is working as intended on 2.4.5.a.20191217.0637

If a client triggers a CSRF failure, they are presented with a nicely formatted error page.This error page requires two forms of confirmation to continue (checkbox+button push and an additional JS confirmation dialog).

Actions #6

Updated by Jim Pingle over 1 year ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF