use a separate bad_request page for CSRF errors

This commit is contained in:
Derf Null 2023-06-04 19:25:24 +02:00
parent 8cef56a940
commit c1635e24fb
No known key found for this signature in database
GPG key ID: 19E6E524EBB177BA
6 changed files with 77 additions and 36 deletions

View file

@ -247,8 +247,9 @@ sub do_login {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( $self->render(
'login', 'bad_request',
invalid => 'csrf', csrf => 1,
status => 400
); );
} }
else { else {
@ -288,8 +289,9 @@ sub register {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( $self->render(
'register', 'bad_request',
invalid => 'csrf', csrf => 1,
status => 400
); );
return; return;
} }
@ -345,8 +347,9 @@ sub register {
# a human user should take at least five seconds to fill out the form. # a human user should take at least five seconds to fill out the form.
# Throw a CSRF error at presumed spammers. # Throw a CSRF error at presumed spammers.
$self->render( $self->render(
'register', 'bad_request',
invalid => 'csrf', csrf => 1,
status => 400
); );
return; return;
} }
@ -408,8 +411,11 @@ sub delete {
my ($self) = @_; my ($self) = @_;
my $uid = $self->current_user->{id}; my $uid = $self->current_user->{id};
if ( $self->validation->csrf_protect->has_error('csrf_token') ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->flash( invalid => 'csrf' ); $self->render(
$self->redirect_to('account'); 'bad_request',
csrf => 1,
status => 400
);
return; return;
} }
@ -436,7 +442,11 @@ sub delete {
sub do_logout { sub do_logout {
my ($self) = @_; my ($self) = @_;
if ( $self->validation->csrf_protect->has_error('csrf_token') ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( 'login', invalid => 'csrf' ); $self->render(
'bad_request',
csrf => 1,
status => 400
);
return; return;
} }
$self->logout; $self->logout;
@ -503,8 +513,9 @@ sub social {
if ( $self->param('action') and $self->param('action') eq 'save' ) { if ( $self->param('action') and $self->param('action') eq 'save' ) {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( $self->render(
'social', 'bad_request',
invalid => 'csrf', csrf => 1,
status => 400
); );
return; return;
} }
@ -724,8 +735,9 @@ sub profile {
if ( $self->param('action') and $self->param('action') eq 'save' ) { if ( $self->param('action') and $self->param('action') eq 'save' ) {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( $self->render(
'edit_profile', 'bad_request',
invalid => 'csrf', csrf => 1,
status => 400
); );
return; return;
} }
@ -908,8 +920,9 @@ sub change_mail {
if ( $action and $action eq 'update_mail' ) { if ( $action and $action eq 'update_mail' ) {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( $self->render(
'change_mail', 'bad_request',
invalid => 'csrf', csrf => 1,
status => 400
); );
return; return;
} }
@ -967,9 +980,9 @@ sub change_name {
if ( $action and $action eq 'update_name' ) { if ( $action and $action eq 'update_name' ) {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( $self->render(
'change_name', 'bad_request',
name => $old_name, csrf => 1,
invalid => 'csrf', status => 400
); );
return; return;
} }
@ -1033,7 +1046,11 @@ sub change_password {
my $password2 = $self->req->param('newpw2'); my $password2 = $self->req->param('newpw2');
if ( $self->validation->csrf_protect->has_error('csrf_token') ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( 'change_password', invalid => 'csrf' ); $self->render(
'bad_request',
csrf => 1,
status => 400
);
return; return;
} }
@ -1074,7 +1091,11 @@ sub request_password_reset {
if ( $self->param('action') and $self->param('action') eq 'initiate' ) { if ( $self->param('action') and $self->param('action') eq 'initiate' ) {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( 'recover_password', invalid => 'csrf' ); $self->render(
'bad_request',
csrf => 1,
status => 400
);
return; return;
} }
@ -1131,7 +1152,11 @@ sub request_password_reset {
my $password2 = $self->param('newpw2'); my $password2 = $self->param('newpw2');
if ( $self->validation->csrf_protect->has_error('csrf_token') ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( 'set_password', invalid => 'csrf' ); $self->render(
'bad_request',
csrf => 1,
status => 400
);
return; return;
} }
if ( if (

View file

@ -567,7 +567,11 @@ sub import_v1 {
sub set_token { sub set_token {
my ($self) = @_; my ($self) = @_;
if ( $self->validation->csrf_protect->has_error('csrf_token') ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( 'account', invalid => 'csrf' ); $self->render(
'bad_request',
csrf => 1,
status => 400
);
return; return;
} }
my $token = make_token(); my $token = make_token();

View file

@ -15,8 +15,9 @@ sub settings {
and $self->validation->csrf_protect->has_error('csrf_token') ) and $self->validation->csrf_protect->has_error('csrf_token') )
{ {
$self->render( $self->render(
'traewelling', 'bad_request',
invalid => 'csrf', csrf => 1,
status => 400
); );
return; return;
} }

View file

@ -1529,10 +1529,9 @@ sub visibility_form {
if ( $action eq 'save' ) { if ( $action eq 'save' ) {
if ( $self->validation->csrf_protect->has_error('csrf_token') ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
$self->render( $self->render(
'edit_visibility', 'bad_request',
error => 'csrf', csrf => 1,
user_level => $user_level, status => 400
journey => {}
); );
} }
elsif ( $dep_ts and $dep_ts != $status->{sched_departure}->epoch ) { elsif ( $dep_ts and $dep_ts != $status->{sched_departure}->epoch ) {

View file

@ -2,14 +2,7 @@
<div class="col s12"> <div class="col s12">
<div class="card caution-color"> <div class="card caution-color">
<div class="card-content white-text"> <div class="card-content white-text">
% if ($invalid eq 'csrf') { % if ($invalid eq 'credentials') {
<span class="card-title">Ungültiger CSRF-Token</span>
<p>Sind Cookies aktiviert? Ansonsten könnte es sich um einen
Fall von <a
href="https://de.wikipedia.org/wiki/Cross-Site-Request-Forgery">CSRF</a>
handeln.</p>
% }
% elsif ($invalid eq 'credentials') {
<span class="card-title">Ungültige Logindaten</span> <span class="card-title">Ungültige Logindaten</span>
<p>Falscher Account oder falsches Passwort.</p> <p>Falscher Account oder falsches Passwort.</p>
% } % }

View file

@ -0,0 +1,19 @@
<div class="row">
<div class="col s12">
<div class="card caution-color">
<div class="card-content white-text">
<span class="card-title">400 Bad Request</span>
% if (stash('csrf')) {
<p>Ungültiger CSRF-Token. Dieser dient zum Schutz vor Cross-Site Request Forgery.</p>
<p>Falls du von einer externen Seite hierhin geleitet wurdest, wurde möglicherweise (erfolglos) versucht, deinen Account anzugreifen. Falls du von travelynx selbst aus hier angekommen bist, kann es sich um eine fehlerhafte Cookie-Konfiguration im Browser, eine abgelaufene Session (→ bitte nochmal versuchen) oder du einen Bug in travelynx handeln (→ bitte melden).</p>
% }
% elsif (my $m = stash('message')) {
<p><%= $m %></p>
% }
% else {
<p>Diese Anfrage ist ungültig. Ursache kann z.B. eine abgelaufene Session oder ein Bug in travelynx sein.</p>
% }
</div>
</div>
</div>
</div>