Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Csrf On Post Failure Rate Topic   - - - - -

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 12075 posts

Posted 03 May 2021 - 03:23 AM #1

I'm sure I'm doing/not_doing something but for the life of me, can't find it.

I have an addon  where vendor_multivendor.post.php permissions are true for the controller.

When I try to post the form, it's generating the csrf error message and redirecting to the vendor.php page.

 

In inspecting with the browser, it is not passing a security_hash in the request data.  I'm not sure what JS triggers adding the security_hash to the POSTed data.  I've double checked and I'm doing things the same way I have in countless other addons.

 

The form has a total of about 20 variables.  The max_post_data is set to 150M and the max_input_vars is set to 10000.

 

I think I need a new set of eyes or suggestions on what to check.  Getting brain-fuzzy at this point.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • harmsmitsdev
  • Senior Member
  • Members
  • Join Date: 22-Feb 20
  • 183 posts

Posted 03 May 2021 - 07:16 AM #2

I'm sure I'm doing/not_doing something but for the life of me, can't find it.

I have an addon  where vendor_multivendor.post.php permissions are true for the controller.

When I try to post the form, it's generating the csrf error message and redirecting to the vendor.php page.

 

In inspecting with the browser, it is not passing a security_hash in the request data.  I'm not sure what JS triggers adding the security_hash to the POSTed data.  I've double checked and I'm doing things the same way I have in countless other addons.

 

The form has a total of about 20 variables.  The max_post_data is set to 150M and the max_input_vars is set to 10000.

 

I think I need a new set of eyes or suggestions on what to check.  Getting brain-fuzzy at this point.

There are only a few things I can think of:

 

1. Make sure the form close is *exactly* as follows. Any spacing will cause it to behave incorrectly.

</form>

2. Check if the schema is actually included and if it returns itself.

 

It's hard to help blindly as it is working perfectly fine for me, so sharing a few more details as to what you are doing would be of great help.
 


harmsmitsdev@gmail.com


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 12075 posts

Posted 03 May 2021 - 06:41 PM #3

Form tag is as above.

Schema is being read.  I get access to the controller as Vendor.  If it wasn't, I'd be denied (vendor_multivendor.post.php).

Here's the code and it's the same model I use on many other addons. That's why I'm kind of stumped.

 

Sorry but the 'paste' removes tabs....

<!-- EZms ez_pos_settings/manage.tpl -->
{capture name="mainbox"}
{capture name="tabsbox"}
<form action="{""|fn_url}" method="post" class="form-horizontal" name="ez_pos_settings_form">
<div id="content_general">
{include file="common/subheader.tpl" title="{__("ez_pos_settings")}: General"}
<div class="control-group">
<label for="test_general_setting" class="control-label">Test General Setting Name</label>
<div class="controls">
<input id="test_general_setting" type="text" class="input-short" value="" />
</div>
</div>
</div>
{foreach from=$warehouses key="warehouse_id" item="name"}
<div id="content_warehouse_{$warehouse_id}" class="hidden">
{include file="common/subheader.tpl" title=__("ez_pos_settings")|cat:": ":$name}
{foreach from=$pos_settings.$warehouse_id item="setting_data"}
{*<pre>setting_data:{$setting_data|print_r:true}</pre> *}
<input type="hidden" name="pos_settings[{$warehouse_id}][{$setting_data.setting_name}][setting_id]" value="{$setting_data.setting_id}" />
{$tooltip = __($setting_data.tooltip)}
{if $tooltip|strpos:'_' === 0 }
{$tooltip = $setting_data.tooltip}
{/if}
<div class="control-group" id="warehouse_{$warehouse_id}">
<label for="pos_setting_{$setting_data.setting_name}_{$warehouse_id}" 
class="control-label">{__($setting_data.setting_name)}:&nbsp;</label>
<div class="controls" >
{if $tooltip}
{include file="common/tooltip.tpl" tooltip=$tooltip}
{/if}
<input for="pos_setting_{$setting_data.setting_name}_{$warehouse_id}" 
type="text" 
name="pos_settings[{$warehouse_id}][{$setting_data.setting_name}][setting_value]" 
value="{$setting_data.setting_value}" />
</div>
</div>
{/foreach}
</div>
{/foreach}
{/capture} {** tabsbox **}
 
{capture name="buttons"}
{include file="buttons/save.tpl" 
but_name="dispatch[ez_pos_settings.manage]" 
but_role="submit-link"
but_target_form="ez_pos_settings_form" 
}
{/capture}  {** buttons **}
{include file="common/tabsbox.tpl" content=$smarty.capture.tabsbox group_name=$runtime.controller active_tab=$selected_section track=true}
{/capture} {** mainbox **}
 
</form>
 
{include file="common/mainbox.tpl"
    title=__('ez_pos_settings')
    content=$smarty.capture.mainbox
    buttons=$smarty.capture.buttons
    adv_buttons=$smarty.capture.adv_buttons
}
 

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • harmsmitsdev
  • Senior Member
  • Members
  • Join Date: 22-Feb 20
  • 183 posts

Posted 04 May 2021 - 07:35 AM #4

The form closing tag is not in the correct place. It should be in the tabsbox capture.


harmsmitsdev@gmail.com


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 12075 posts

Posted 04 May 2021 - 06:31 PM #5

Hmm, I see what you mean.  Seems like the proper place to put the opening form tag would be above the first capture.  I'll give it a try both ways and see what happens.

 

Always good to have new eyes!  Thanks.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • harmsmitsdev
  • Senior Member
  • Members
  • Join Date: 22-Feb 20
  • 183 posts

Posted 04 May 2021 - 06:56 PM #6

Hmm, I see what you mean.  Seems like the proper place to put the opening form tag would be above the first capture.  I'll give it a try both ways and see what happens.

 

Always good to have new eyes!  Thanks.

Reason this causes an issue is that the input for the security_hash will get shifted. Because the browser assumes the element is corrupted, it will force close the 'form' before the location of this input, meaning that the input will not be contained in the form. Therefore, its not sent in the request and you get this error ;)

 

You can verify this by checking if the form contains the 'security_hash' input using 'inspect element'.


harmsmitsdev@gmail.com


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 12075 posts

Posted 04 May 2021 - 07:06 PM #7

Appreciate your help.  Will try to test it later today.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.