Joomla! Issue Tracker | Joomla! CMS #18779 - [4.0] Fix sendmail token error

Closed
23 Nov 2017
Medium
Build: 4.0-dev
# 18779
Diff
C-Lodder:patch-3

Pending

Pending continuous-integration/drone/pr this build is pending Details
Success hound No violations found. Woof! Details

User tests: Successful: Unsuccessful:

C-Lodder
21 Nov 2017

Pull Request for Issue #18596

Summary of Changes

Fix the error due to the token check always returning false

Testing Instructions

Attempt to submit a test mail via com_config

d2e94e6 21 Nov 2017

Fix sendmail token error

C-Lodder - open - 21 Nov 2017

C-Lodder - change - 21 Nov 2017

Status

New

⇒

Pending

joomla-cms-bot - change - 21 Nov 2017

Category

⇒

Administration com_config

C-Lodder - comment - 22 Nov 2017

@mbabker @zero-24 is this right?

dgt41 - comment - 22 Nov 2017

@C-Lodder that shouldn't be required in J4 as we have the csrf token generated automatically

C-Lodder - comment - 22 Nov 2017

@dgt41 - yup, I know the token gets generated automatically, but \JSession::checkToken('get') doesn't get that token for some reason.

mbabker - comment - 22 Nov 2017

If it's not part of the query string that would cause the check (which is being told to check GET variables) to fail. So where's the automatic CSRF token being added to? And is the request it's making even a GET request?

C-Lodder - comment - 22 Nov 2017

@mbabker - well not automatically, but it's added here: https://github.com/joomla/joomla-cms/blob/4.0-dev/administrator/components/com_config/tmpl/application/default.php#L115

andrepereiradasilva - comment - 22 Nov 2017

hi, i have not followed this new token "thing", but since this uses a Joomla.Request ajax js, don't you need to add in https://github.com/joomla/joomla-cms/blob/4.0-dev/administrator/components/com_config/tmpl/application/default_mail.php the

Joomla\CMS\Factory::getDocument()->addScriptOptions('csrf.token', Joomla\CMS\Session\Session::getFormToken());

or something like that?
see https://github.com/dneukirchen/joomla-cms/blob/4.0-dev/media/system/js/core.js#L822

C-Lodder - change - 23 Nov 2017

Title

…

Fix sendmail token error

[4.0] Fix sendmail token error

C-Lodder - edited - 23 Nov 2017

asika32764 - comment - 23 Nov 2017

You need a JHtml::_('jquery.token') to make sure CSRF auto injected when using jQuery ajax

See 3.x branch: https://github.com/joomla/joomla-cms/blob/staging/administrator/components/com_config/view/application/tmpl/default_mail.php#L12

And https://github.com/dneukirchen/joomla-cms/blob/4.0-dev/libraries/cms/html/jquery.php#L133-L158

Reference to CSRF relative PR: #14952

asika32764 - comment - 23 Nov 2017

sendtestmail.js uses jQuery Ajax now not Joomla.Request

andrepereiradasilva - comment - 23 Nov 2017

No. afaik in 4.0 the usage of jquery on the Core is being removed to improve js render time and bytes transfered
https://github.com/joomla/joomla-cms/blob/4.0-dev/media/system/js/fields/sendtestmail.js#L30

The cache thing is a good point there are cache workaround for the form session input but i don't think they exist for this new method. See https://github.com/joomla/joomla-cms/blob/4.0-dev/libraries/src/Cache/Cache.php#L529

asika32764 - comment - 23 Nov 2017

Seems not only one reasons. I fixed it in #18821

C-Lodder - change - 23 Nov 2017

Status	Pending	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2017-11-23 12:10:33
Closed_By		⇒	C-Lodder
Labels	Added: ?

C-Lodder - close - 23 Nov 2017

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#18779] - [4.0] Fix sendmail token error

Summary of Changes

Testing Instructions

Add a Comment