PDA

View Full Version : How does CSRF Protection work


nerbert
09-22-2014, 03:11 AM
I've been working on an adminCP project recently and I have an AJAX request that, until recently, didn't send SECURITYTOKEN or ADMINHASH in the query string, but the request went through without any error or redirect.

I see other admin files don't define CSRF at the top of the file but if they don't use it why do they bother with the security token and admin hash? I would like to use that for security. How do I make CSRF protection work? And what does

define('CVS_REVISION', '$RCSfile$ - $Revision: 53302 $');

mean?

ForceHSS
09-22-2014, 03:16 AM
<a href="http://flask-wtf.readthedocs.org/en/latest/csrf.html" target="_blank">http://flask-wtf.readthedocs.org/en/latest/csrf.html</a>

kh99
09-28-2014, 07:28 PM
Did you figure this out? I don't know the answer to the CSRF questions, but I believe CVS_REVISION is for version control, so it's not related.

nerbert
09-29-2014, 01:04 AM
Did you figure this out? I don't know the answer to the CSRF questions, but I believe CVS_REVISION is for version control, so it's not related.

It checks in includes/init.php line 670 (vB422) and uses function verify_security_token() from includes/functions.php line 2763. My testing (never the last word!) shows it doesn't work in AdminCP even with CSRF_PROTECTION defined. So I just use the function directly in my code.