Ticket #630 (closed defect: fixed)

Opened 3 years ago

Last modified 1 year ago

Don't use GET for side effects, use POST

Reported by: anonymous Assigned to: fguillaume
Priority: P2 Milestone: CPS 3.4.4
Component: CPS (global) Version: TRUNK
Severity: major Keywords: security XSS
Cc:

Description (Last modified by madarche)

The problem is that of CSRF (Cross-site request forgery).

http://www.squarefree.com/securitytips/web-developers.html#CSRF

This ticket is related to #1831.

Change History

05/09/05 15:33:10 changed by fguillaume

  • summary changed from Don't use GET for side effects, and check that a POST comes from the same to Don't use GET for side effects, and check that a POST comes from the same server.

07/18/05 18:27:07 changed by fguillaume

  • version changed from 3.3.3 to TRUNK.
  • component changed from CPSSchemas to CPS (global).

07/18/05 18:28:14 changed by fguillaume

See also #835.

09/14/05 17:57:58 changed by fguillaume

  • milestone changed from unspecified to CPS 3.5.0.

04/17/07 11:05:05 changed by madarche

  • keywords changed from security to security XSS.
  • description changed.
  • milestone changed from CPS 3.5.0 to CPS 3.4.4.

04/17/07 11:05:24 changed by madarche

  • summary changed from Don't use GET for side effects, and check that a POST comes from the same server to Don't use GET for side effects, use POST.

04/17/07 14:50:41 changed by madarche

Regarding directories this is fixed with changeset [51556].

04/17/07 14:58:07 changed by madarche

  • status changed from new to closed.
  • resolution set to fixed.

This bug is now fixed. Now we "just" need to secure the POST requests, as stated in #1831.