opencontent/ezuserformtoken-ls

Opencontent eZ Publish Legacy User Form Token extension

Maintainers

Details

github.com/OpencontentCoop/ezuserformtoken

Source

Issues

Installs: 2 536

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 8

Forks: 1

Open Issues: 0

Type:ezpublish-legacy-extension

dev-master 2019-07-19 13:04 UTC

Requires

GPL-2.0 0177580edf2b3f6168e51703795f72e2c9cfe835

This package is auto-updated.

Last update: 2024-04-20 00:38:20 UTC

README

This extension aims to stop CSRF attacks against eZ Publish implementing the easiest remediation described in detectify.

It works like the official extension eZ Form Token adding input & output filter events, which verify that POST requests have an input matching with a generated custom cookie. The difference with eZ Form Token is that the verification is done on requests made by the anonymous user.

This is all done transparently for html/xhtml forms, but requires changes to all ajax POST code. If the form token does not verify, an exception is currently thrown and an error 500 is send to the HTTP client.

It is possible to configure modules to be protected and the cookie parameter in the new configuration block [UserFormToken] in site.ini (see defaults in settings/site.ini.append.php file of this extension)

See also: How to protect against login CSRF? in stackexchange