Todo #9799
closed
Create custom CSRF callback page with proper theme & more warnings
100%
Description
When a user triggers a CSRF error, either by accident (e.g. sitting on the login page for hours without submitting, then trying to log in), or by malicious means (e.g. unintentional submission from a malicious page), the presented page has two issues:
1. It's a plain/default page from CSRF magic, not themed to match pfSense
2. There is not enough warning text about submitting the "Try Again" button, since it may cause harm
The page can be customized by defining a custom callback function, as described in the CSRF Magic docs: https://github.com/ezyang/csrf-magic/blob/master/README.txt#L102
The configuration/function can be defined in guiconfig.inc before the include of CSRF Magic happens.
Updated by Jim Pingle about 5 years ago
CSRF Magic prevents attacks like the one described at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16667 -- but as with ANY action prevented by CSRF, if the user willingly chooses to resubmit the form, then the attack can still proceed.
Updated by Jim Pingle about 5 years ago
I just pushed the first pass at this. It functions, but could use some design work.
I'm considering removing the resubmit function at all, replacing it with a button/link to return to the previous page, if anything at all. While many times this error is encountered innocuously, the danger may not be worth allowing resubmission.
Updated by Jim Pingle about 5 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset da7384c4a42adbcb7c20beba05ff460d0f6da7b3.
Updated by Jim Pingle about 5 years ago
- Target version changed from 2.5.0 to 2.4.5
Updated by Jim Pingle almost 5 years ago
- Status changed from Feedback to Resolved
This is working as intended on 2.4.5.a.20191217.0637
If a client triggers a CSRF failure, they are presented with a nicely formatted error page.This error page requires two forms of confirmation to continue (checkbox+button push and an additional JS confirmation dialog).