Joomla! Issue Tracker | Joomla! CMS #36518 - [4.1] Protect Manual/Test Runs of Tasks against CSRF

? NPM Resource Changed ?

Fixed in Code Base
14 Jan 2022
Medium
Build: 4.1-dev
# 36518
Diff
ditsuke:secure-run-csrf

Pending

User tests: Successful: Unsuccessful:

ditsuke
1 Jan 2022

Pull Request for Issue #36454.

Summary of Changes

Adds CSRF protection for task "test" trigger endpoint. Token is injected in the list template.

Testing Instructions

Create Scheduled Task, note ID.
Goto http://example.com/administrator/index.php?option=com_ajax&format=json&plugin=RunSchedulerTest&group=system&id={TaskID} in another tab.

Actual result BEFORE applying this Pull Request

Task is executed.

Expected result AFTER applying this Pull Request

Task is not executed since request lacks token.

Documentation Changes Required

4dfe5af 1 Jan 2022

Add CSRF protection to test task runner

ditsuke - open - 1 Jan 2022

ditsuke - change - 1 Jan 2022

Status

New

⇒

Pending

joomla-cms-bot - change - 1 Jan 2022

Category

⇒

Administration JavaScript Repository NPM Change Front End Plugins

ditsuke - comment - 1 Jan 2022

@PhilETaylor please test and review.

PhilETaylor - comment - 1 Jan 2022

/********/src/build/media_source/com_scheduler/js/admin-view-run-test-task.es6.js
15s
8	  21:176  error  Strings must use singlequote  quotes

31ac285 1 Jan 2022

Fix ESLint errors on test-task JS

ditsuke - change - 1 Jan 2022

Labels

Added: NPM Resource Changed ?

ditsuke - comment - 1 Jan 2022

/********/src/build/media_source/com_scheduler/js/admin-view-run-test-task.es6.js
15s
8	  21:176  error  Strings must use singlequote  quotes

@PhilETaylor fixed

78d5316 1 Jan 2022

Merge branch '4.1-dev' of github.com:joomla/joomla-cms into 'secure-run-csrf'

73414c5 1 Jan 2022

Merge branch '4.1-dev' into secure-run-csrf

fancyFranci - comment - 8 Jan 2022

I have tested this item ✅ successfully on 73414c5

With the patch the task does not run on GET request. The "Last Run Date" confirms that.

{
  "success": true,
  "message": null,
  "messages": null,
  "data": []
}
```<hr /><sub>This comment was created with the <a href="https://github.com/joomla/jissues">J!Tracker Application</a> at <a href="https://issues.joomla.org/tracker/joomla-cms/36518">issues.joomla.org/tracker/joomla-cms/36518</a>.</sub>

fancyFranci - comment - 8 Jan 2022

I have tested this item ✅ successfully on 73414c5

With the patch the task does not run on GET request. The "Last Run Date" confirms that.

{
  "success": true,
  "message": null,
  "messages": null,
  "data": []
}
```<hr /><sub>This comment was created with the <a href="https://github.com/joomla/jissues">J!Tracker Application</a> at <a href="https://issues.joomla.org/tracker/joomla-cms/36518">issues.joomla.org/tracker/joomla-cms/36518</a>.</sub>

fancyFranci - test_item - 8 Jan 2022 - Tested successfully

jwaisner - comment - 11 Jan 2022

I have tested this item ✅ successfully on 73414c5

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/36518.}

jwaisner - test_item - 11 Jan 2022 - Tested successfully

jwaisner - change - 11 Jan 2022

The description was changed

Status

Pending

⇒

Ready to Commit

joomla-cms-bot - edited - 11 Jan 2022

jwaisner - comment - 11 Jan 2022

RTC

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/36518.}

bembelimen - close - 14 Jan 2022

bembelimen - merge - 14 Jan 2022

bembelimen - change - 14 Jan 2022

Status	Ready to Commit	⇒	Fixed in Code Base
Closed_Date	0000-00-00 00:00:00	⇒	2022-01-14 20:42:27
Closed_By		⇒	bembelimen
Labels	Added: ?

bembelimen - comment - 14 Jan 2022

Thx

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#36518] - [4.1] Protect Manual/Test Runs of Tasks against CSRF

Summary of Changes

Testing Instructions

Actual result BEFORE applying this Pull Request

Expected result AFTER applying this Pull Request

Documentation Changes Required

Add a Comment