CSRF-Protector-PHP icon indicating copy to clipboard operation
CSRF-Protector-PHP copied to clipboard

Published 20 hours ago verified publisher icon mebjas

Usage with Plupload library

Open nilsteampassnet opened this issue 9 years ago • 11 comments

Hello,

I'm using CSRF Protector on my web application. It works as it should and I've implemented and performed test successfully. I just have an issue with the file upload that is managed with plupload.com library. Indeed when csrf is enabled then no upload is performed.

After some checks, it seems that all "POST" parameters that should be send with plupload are not sent when CSRF protector is enabled. And the of course the upload fails. I've tried to add in POST parameters the CSRF_TOKEN but this doesn't change any thing.

Do you have any tip that could help me to manage this case? Is there a way to disable csrf protector in such case for example? (at least as a temporary solution).

Thanks

nilsteampassnet avatar Mar 09 '16 20:03 nilsteampassnet

@nilsteampassnet Currently it's not configurable to disable CSRF Protection for a specific POST request. Also this seems like a bug.

I'll try to reproduce this bug and fix it, ASAP.

mebjas avatar Mar 10 '16 08:03 mebjas

@mebjas Thanks for this ... waiting patiently for your inputs (if I can help in testing please don't hesitate)

nilsteampassnet avatar Mar 10 '16 21:03 nilsteampassnet

Hi, I tested this with my setup, everything seemed to work. Can you tell me more on how to reproduce it or point me to some demo link where this is failing?

@nilsteampassnet

mebjas avatar Mar 12 '16 17:03 mebjas

Sorry for long delay.

I've done extra test based on your comment. What sounds strange to me is that it works nicely with Google Chrome but always fails on Firefox (even updated to last version).

I don't know how to deal with this issue. Under Chrome, with and without CSRF library it works. Under Firefox, with it fails and without it works.

I really don't unserstand

nilsteampassnet avatar Mar 17 '16 20:03 nilsteampassnet

I'll test it on firefox.

mebjas avatar Mar 18 '16 02:03 mebjas

I tested it in firefox as well, it didn't fail for me. Couldn't reproduce the bug, I'm on OS X 10.11.1 firefox 41.0.1

mebjas avatar Mar 18 '16 17:03 mebjas

Sorry for long time ... didn't have time to work on it.

I found a temporary solution to it. Perhaps what I've discovered will helps you. I've seen that in Firefox, the uploaded file information are stored in a "object formdata". And csrfprotector.js file is adding to this object the csrf token in function new_send. This brings to something that is wrongly interpreted by Firefox.

So my temporary solution was to remove from CSRFProtector object of this format.

    function new_send(data) {
        var type = Function.prototype.call.bind( Object.prototype.toString ); 
        if (this.method.toLowerCase() === 'post' && type( data ) === '[object String]') {

            if (data !== "") {
                data += "&";
            } else {
                data = "";
            }

            data += CSRFP.CSRFP_TOKEN +"=" +CSRFP._getAuthKey();
        }
        return this.old_send(data);
    }

This work-around permits me to continue using CSRFProtector and Plupload, but I'm not totally satisfied as I'm reducing CSRFP scope :(

I'm not enough aware of Browsers to understand why I've got this issue. Several of the users of my tool also have this issue.

I will continue to investigate now I've found a way to publish a temporary fix ;)

nilsteampassnet avatar Mar 29 '16 19:03 nilsteampassnet

@nilsteampassnet - I tested CSRF Protector with plupload, and it worked well (both in Chrome & Firefox), the token was sent along with image object and later verified at server. So, so far I haven't been able to reproduce the bug.

This kind of disabling CSRF protection at file upload forms, makes you application vulnerable to CSRF at those places.

Can you point me to some script in teamPass application where you are using plupload and facing this issue? If it's a bug with CSRFP I'll push a patch here, else would send a PR to teampass

mebjas avatar Mar 30 '16 20:03 mebjas

Thanks for your proposal!

Plupload is used in several pages in Teampass, but the most easy for test purpose is to use the call from the Items page. So you'll found them in file items.load.php. Make a search on var edit_uploader_attachments = new plupload.Uploader({ This is the initialization of the plupload object when a user is trying to upload a file when editing an item.

It calls the file sources/upload/upload.attachments.php for all post operation once file is uploaded and where it fails without the change I've done in csrfptotector.js.

I don't beleive the error is related to csrfP but more or less something to do with the browsers. Because how to explain that it works with Chrome and not FF? And why excluding the "csrf token append" to a formdata object, it fails. Really strange.

nilsteampassnet avatar Mar 31 '16 06:03 nilsteampassnet

@nilsteampassnet Is there any chance that your issue is related to mine?

https://github.com/mebjas/CSRF-Protector-PHP/issues/94

elieobeid7 avatar Feb 03 '18 23:02 elieobeid7

I have the same problem with file upload

qubit999 avatar Jun 03 '20 19:06 qubit999