Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#8714] - Harden CSRF token generation (Fix #8710)

? Success

User tests: Successful: Unsuccessful:

avatar mbabker
mbabker
16 Dec 2015

Unless there's a reason CSRF tokens cannot contain [A-Z][a-z][0-9] then proxying to JUserHelper::genRandomPassword() (which is using random_bytes() in its generation of random strings) is good enough here.

Testing instructions

CSRF validation should still pass on forms

avatar mbabker mbabker - open - 16 Dec 2015
avatar mbabker mbabker - change - 16 Dec 2015
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 16 Dec 2015
Labels Added: ?
avatar PhilETaylor
PhilETaylor - comment - 16 Dec 2015

random_bytes is PHP7 only though... :)

avatar wilsonge
wilsonge - comment - 16 Dec 2015

This uses the backported version we have in https://github.com/joomla/joomla-cms/tree/staging/libraries/vendor/paragonie/random_compat/lib

avatar PhilETaylor
PhilETaylor - comment - 16 Dec 2015

ah I see that now - was waiting for PHPStorm to index the whole project....sloooooowly

avatar paragonie-scott
paragonie-scott - comment - 16 Dec 2015

:+1:

avatar Kubik-Rubik Kubik-Rubik - change - 17 Dec 2015
Milestone Added:
avatar Kubik-Rubik Kubik-Rubik - alter_testresult - 17 Dec 2015 - paragonie-scott: Tested successfully
avatar Kubik-Rubik Kubik-Rubik - test_item - 17 Dec 2015 - Tested successfully
avatar Kubik-Rubik
Kubik-Rubik - comment - 17 Dec 2015

I have tested this item :white_check_mark: successfully on 6fc1875

Thank you @mbabker!

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8714.

avatar Kubik-Rubik Kubik-Rubik - change - 17 Dec 2015
Status Pending Ready to Commit
avatar joomla-cms-bot joomla-cms-bot - change - 17 Dec 2015
Milestone Removed:
avatar Kubik-Rubik Kubik-Rubik - change - 17 Dec 2015
Labels Added: ?
avatar Kubik-Rubik Kubik-Rubik - change - 17 Dec 2015
Milestone Added:
avatar wilsonge
wilsonge - comment - 20 Dec 2015

Can you deprecate createToken please in favour of JUserHelper::genRandomPassword()?

avatar mbabker
mbabker - comment - 1 Jan 2016

No. It enables the session API to continue to internally use its own token method (even if it's just a proxy now) without hardcoding the reference to generate them in case it ever needed to change to a different implementation.

avatar photodude
photodude - comment - 2 Jan 2016

:+1:

avatar rdeutz rdeutz - change - 8 Jan 2016
Status Ready to Commit Closed
Closed_Date 0000-00-00 00:00:00 2016-01-08 09:46:22
Closed_By rdeutz
avatar rdeutz rdeutz - close - 8 Jan 2016
avatar joomla-cms-bot joomla-cms-bot - close - 8 Jan 2016
avatar rdeutz rdeutz - reference | 4d216cc - 8 Jan 16
avatar rdeutz rdeutz - merge - 8 Jan 2016
avatar rdeutz rdeutz - close - 8 Jan 2016
avatar joomla-cms-bot joomla-cms-bot - change - 8 Jan 2016
Labels Removed: ?
avatar mbabker mbabker - head_ref_deleted - 8 Jan 2016

Add a Comment

Login with GitHub to post a comment