Ticket Details

CSRF vulnerabilities in lithium?

ENHANCEMENT Ticket (closed) 

I created a basic blog app to learn it, and it occurred to me that the following:

{{{
<?=$this->form->create($post, array('method' => 'post')); ?>
	<?=$this->form->hidden('id'); ?>
	<?=$this->form->field('title');?>
	<?=$this->form->field('body', array('type' => 'textarea'));?>
	<?=$this->form->submit('Edit Post'); ?>
<?=$this->form->end(); ?>
}}}

... leads to a form without any kind of token or nonce. Shouldn't CSRF protection for non-idempotent urls (such as POST requests) be built into core in such a way that end-users don't need to even worry about it?
on 08.24.10 reported by: ddebernardy owned by: daschl

Updates

on 08.24.10 by nate
  • type was changed to enhancement
  • status was changed to approved
  • priority was changed to high
There are plans for this, it just hasn't been addressed in the core as yet.
on 02.08.11 by greut
  • version was changed to lithium-0.9.9
Please consider these while implementing it:

- [http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails](http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails)
- [http://www.djangoproject.com/weblog/2011/feb/08/security/](http://www.djangoproject.com/weblog/2011/feb/08/security/)

Should it be part of the core or can it be a library?
(fixed) on 07.03.11 by daschl
  • owner was changed to daschl
  • status was changed to closed
  • resolution was changed to fixed
CSRF protection is now included in lithium, thanks for the ticket!