haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7f17d829b3
yesod/yesod-auth/Yesod
History
Sibi Prabakaran 7f17d829b3
Fix CSRF security vulnerability in registerHelper function 
Return a 403 status code if the csrf tokens are matched. This currently
affects two endpoints: During registration and during password reset
forms.

This curl request demonstrates how this can be exploited to register new
email:

curl -i --header "Accept: application/json" --request POST -F
"email=sibi@psibi.in" http://localhost:3005/auth/page/email/register

With the patch applied, it will respond with this:

{"message":"Permission Denied. A valid CSRF token wasn't present in HTTP
headers or POST parameters. Because the request could have been forged,
it's been rejected altogether. Check the Yesod.Core.Handler docs of the
yesod-core package for details on CSRF protection."}
2016-11-20 03:59:32 +05:30
..
Auth Fix CSRF security vulnerability in registerHelper function 2016-11-20 03:59:32 +05:30
Auth.hs Use CPP to maintain backward compat 2016-04-18 10:03:39 -07:00
PasswordStore.hs Fix a typo 2015-12-03 00:08:40 +06:00