mirror of
https://github.com/derf/travelynx
synced 2024-12-02 01:09:11 +00:00
use a separate bad_request page for CSRF errors
This commit is contained in:
parent
8cef56a940
commit
c1635e24fb
6 changed files with 77 additions and 36 deletions
|
@ -247,8 +247,9 @@ sub do_login {
|
||||||
|
|
||||||
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
||||||
$self->render(
|
$self->render(
|
||||||
'login',
|
'bad_request',
|
||||||
invalid => 'csrf',
|
csrf => 1,
|
||||||
|
status => 400
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
|
@ -288,8 +289,9 @@ sub register {
|
||||||
|
|
||||||
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
||||||
$self->render(
|
$self->render(
|
||||||
'register',
|
'bad_request',
|
||||||
invalid => 'csrf',
|
csrf => 1,
|
||||||
|
status => 400
|
||||||
);
|
);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -345,8 +347,9 @@ sub register {
|
||||||
# a human user should take at least five seconds to fill out the form.
|
# a human user should take at least five seconds to fill out the form.
|
||||||
# Throw a CSRF error at presumed spammers.
|
# Throw a CSRF error at presumed spammers.
|
||||||
$self->render(
|
$self->render(
|
||||||
'register',
|
'bad_request',
|
||||||
invalid => 'csrf',
|
csrf => 1,
|
||||||
|
status => 400
|
||||||
);
|
);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -408,8 +411,11 @@ sub delete {
|
||||||
my ($self) = @_;
|
my ($self) = @_;
|
||||||
my $uid = $self->current_user->{id};
|
my $uid = $self->current_user->{id};
|
||||||
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
||||||
$self->flash( invalid => 'csrf' );
|
$self->render(
|
||||||
$self->redirect_to('account');
|
'bad_request',
|
||||||
|
csrf => 1,
|
||||||
|
status => 400
|
||||||
|
);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -436,7 +442,11 @@ sub delete {
|
||||||
sub do_logout {
|
sub do_logout {
|
||||||
my ($self) = @_;
|
my ($self) = @_;
|
||||||
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
||||||
$self->render( 'login', invalid => 'csrf' );
|
$self->render(
|
||||||
|
'bad_request',
|
||||||
|
csrf => 1,
|
||||||
|
status => 400
|
||||||
|
);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
$self->logout;
|
$self->logout;
|
||||||
|
@ -503,8 +513,9 @@ sub social {
|
||||||
if ( $self->param('action') and $self->param('action') eq 'save' ) {
|
if ( $self->param('action') and $self->param('action') eq 'save' ) {
|
||||||
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
||||||
$self->render(
|
$self->render(
|
||||||
'social',
|
'bad_request',
|
||||||
invalid => 'csrf',
|
csrf => 1,
|
||||||
|
status => 400
|
||||||
);
|
);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -724,8 +735,9 @@ sub profile {
|
||||||
if ( $self->param('action') and $self->param('action') eq 'save' ) {
|
if ( $self->param('action') and $self->param('action') eq 'save' ) {
|
||||||
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
||||||
$self->render(
|
$self->render(
|
||||||
'edit_profile',
|
'bad_request',
|
||||||
invalid => 'csrf',
|
csrf => 1,
|
||||||
|
status => 400
|
||||||
);
|
);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -908,8 +920,9 @@ sub change_mail {
|
||||||
if ( $action and $action eq 'update_mail' ) {
|
if ( $action and $action eq 'update_mail' ) {
|
||||||
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
||||||
$self->render(
|
$self->render(
|
||||||
'change_mail',
|
'bad_request',
|
||||||
invalid => 'csrf',
|
csrf => 1,
|
||||||
|
status => 400
|
||||||
);
|
);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -967,9 +980,9 @@ sub change_name {
|
||||||
if ( $action and $action eq 'update_name' ) {
|
if ( $action and $action eq 'update_name' ) {
|
||||||
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
||||||
$self->render(
|
$self->render(
|
||||||
'change_name',
|
'bad_request',
|
||||||
name => $old_name,
|
csrf => 1,
|
||||||
invalid => 'csrf',
|
status => 400
|
||||||
);
|
);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -1033,7 +1046,11 @@ sub change_password {
|
||||||
my $password2 = $self->req->param('newpw2');
|
my $password2 = $self->req->param('newpw2');
|
||||||
|
|
||||||
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
||||||
$self->render( 'change_password', invalid => 'csrf' );
|
$self->render(
|
||||||
|
'bad_request',
|
||||||
|
csrf => 1,
|
||||||
|
status => 400
|
||||||
|
);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1074,7 +1091,11 @@ sub request_password_reset {
|
||||||
|
|
||||||
if ( $self->param('action') and $self->param('action') eq 'initiate' ) {
|
if ( $self->param('action') and $self->param('action') eq 'initiate' ) {
|
||||||
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
||||||
$self->render( 'recover_password', invalid => 'csrf' );
|
$self->render(
|
||||||
|
'bad_request',
|
||||||
|
csrf => 1,
|
||||||
|
status => 400
|
||||||
|
);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1131,7 +1152,11 @@ sub request_password_reset {
|
||||||
my $password2 = $self->param('newpw2');
|
my $password2 = $self->param('newpw2');
|
||||||
|
|
||||||
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
||||||
$self->render( 'set_password', invalid => 'csrf' );
|
$self->render(
|
||||||
|
'bad_request',
|
||||||
|
csrf => 1,
|
||||||
|
status => 400
|
||||||
|
);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (
|
if (
|
||||||
|
|
|
@ -567,7 +567,11 @@ sub import_v1 {
|
||||||
sub set_token {
|
sub set_token {
|
||||||
my ($self) = @_;
|
my ($self) = @_;
|
||||||
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
||||||
$self->render( 'account', invalid => 'csrf' );
|
$self->render(
|
||||||
|
'bad_request',
|
||||||
|
csrf => 1,
|
||||||
|
status => 400
|
||||||
|
);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
my $token = make_token();
|
my $token = make_token();
|
||||||
|
|
|
@ -15,8 +15,9 @@ sub settings {
|
||||||
and $self->validation->csrf_protect->has_error('csrf_token') )
|
and $self->validation->csrf_protect->has_error('csrf_token') )
|
||||||
{
|
{
|
||||||
$self->render(
|
$self->render(
|
||||||
'traewelling',
|
'bad_request',
|
||||||
invalid => 'csrf',
|
csrf => 1,
|
||||||
|
status => 400
|
||||||
);
|
);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1529,10 +1529,9 @@ sub visibility_form {
|
||||||
if ( $action eq 'save' ) {
|
if ( $action eq 'save' ) {
|
||||||
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
|
||||||
$self->render(
|
$self->render(
|
||||||
'edit_visibility',
|
'bad_request',
|
||||||
error => 'csrf',
|
csrf => 1,
|
||||||
user_level => $user_level,
|
status => 400
|
||||||
journey => {}
|
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
elsif ( $dep_ts and $dep_ts != $status->{sched_departure}->epoch ) {
|
elsif ( $dep_ts and $dep_ts != $status->{sched_departure}->epoch ) {
|
||||||
|
|
|
@ -2,14 +2,7 @@
|
||||||
<div class="col s12">
|
<div class="col s12">
|
||||||
<div class="card caution-color">
|
<div class="card caution-color">
|
||||||
<div class="card-content white-text">
|
<div class="card-content white-text">
|
||||||
% if ($invalid eq 'csrf') {
|
% if ($invalid eq 'credentials') {
|
||||||
<span class="card-title">Ungültiger CSRF-Token</span>
|
|
||||||
<p>Sind Cookies aktiviert? Ansonsten könnte es sich um einen
|
|
||||||
Fall von <a
|
|
||||||
href="https://de.wikipedia.org/wiki/Cross-Site-Request-Forgery">CSRF</a>
|
|
||||||
handeln.</p>
|
|
||||||
% }
|
|
||||||
% elsif ($invalid eq 'credentials') {
|
|
||||||
<span class="card-title">Ungültige Logindaten</span>
|
<span class="card-title">Ungültige Logindaten</span>
|
||||||
<p>Falscher Account oder falsches Passwort.</p>
|
<p>Falscher Account oder falsches Passwort.</p>
|
||||||
% }
|
% }
|
||||||
|
|
19
templates/bad_request.html.ep
Normal file
19
templates/bad_request.html.ep
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
<div class="row">
|
||||||
|
<div class="col s12">
|
||||||
|
<div class="card caution-color">
|
||||||
|
<div class="card-content white-text">
|
||||||
|
<span class="card-title">400 Bad Request</span>
|
||||||
|
% if (stash('csrf')) {
|
||||||
|
<p>Ungültiger CSRF-Token. Dieser dient zum Schutz vor Cross-Site Request Forgery.</p>
|
||||||
|
<p>Falls du von einer externen Seite hierhin geleitet wurdest, wurde möglicherweise (erfolglos) versucht, deinen Account anzugreifen. Falls du von travelynx selbst aus hier angekommen bist, kann es sich um eine fehlerhafte Cookie-Konfiguration im Browser, eine abgelaufene Session (→ bitte nochmal versuchen) oder du einen Bug in travelynx handeln (→ bitte melden).</p>
|
||||||
|
% }
|
||||||
|
% elsif (my $m = stash('message')) {
|
||||||
|
<p><%= $m %></p>
|
||||||
|
% }
|
||||||
|
% else {
|
||||||
|
<p>Diese Anfrage ist ungültig. Ursache kann z.B. eine abgelaufene Session oder ein Bug in travelynx sein.</p>
|
||||||
|
% }
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
Loading…
Reference in a new issue