fix(core): add CSRF token to HordePopup.popup at click time#171
Conversation
HordePopup.popup() did not merge session ID and CSRF token into popup URLs, unlike HordeCore.popupWindow(). Append them at open time via HordeCore.addRequestParams() when available. Seed per-session token_secret_key before closing read-only sessions so view/download endpoints can validate HMAC tokens. ViewModeConfigurator: emit modern HMAC TOKEN for HordeCore.conf instead of the legacy empty horde.token session slot.
ralflang
left a comment
ralflang
left a comment
There was a problem hiding this comment.
I don't like adding session ID to ajax URLs like its 1998. These belong into a header (cookie or other).
|
Feel free to adapt 🙂 Session and tokens is your Expertise |
Use HordeCore.addCsrfToken for popup navigation instead of addRequestParams so only the CSRF token is appended; session identity relies on cookies per review feedback. Register TokenServiceFactory explicitly in DefaultInjectorBindings and use TokenServiceFactory import in Registry to avoid doubled namespace resolution inside Horde\Core.
|
@ralflang Addressed in fc1e3d5: popups now use new Also fixed the |
|
The TOKEN field is now generated on every page render rather than read from a session slot. That means each dynamic-view page render mints a new token. We used to reuse from session. Anyway we are going to migrate off Horde_Registry in the longer run. |
2 participants
Summary
tokento everyHordePopup.popup()URL at click time via newHordeCore.addCsrfToken()(no legacySIDquery parameter).token_secret_keyexists before read-only sessions are closed, so download/view scripts can validate HMAC tokens.ViewModeConfiguratorto expose a modern HMACHordeCore.conf.TOKENinstead of the legacy empty session slot.TokenServiceFactoryexplicitly inDefaultInjectorBindingsand useuseimports inRegistryto avoid doubled namespace resolution.Motivation
After Horde 6 switched to HMAC CSRF tokens, IMP links that open MIME parts in a popup (e.g. “View HTML data in new window”) failed with “Invalid token!” and showed the portal instead of the message.
Horde::popupJs()usesHordePopup.popup(), which never appended atokenparameter, unlikeHordeCore.popupWindow().Session identity must stay in cookies/headers, not URL query parameters (review feedback).
Changes
js/hordecore.js: addHordeCore.addCsrfToken()(token only).js/popup.js: callHordeCore.addCsrfToken()beforewindow.open().lib/Horde/Registry.php: seed per-session CSRF secret beforeSESSION_READONLYclose.src/DefaultInjectorBindings.php: explicitToken::class => TokenServiceFactory::classbinding.src/PageOutput/ViewModeConfigurator.php(+ factory, tests): useHorde\Token\TokenforTOKEN.Test plan
Horde::popupJs()popups (help, prefs import, etc.) still open and authenticate correctly.vendor/bin/phpunit --bootstrap vendor/autoload.php -c vendor/horde/core/phpunit.xml.dist vendor/horde/core/test/Unit/PageOutput/ViewModeConfiguratorTest.php vendor/horde/core/test/Unit/PageOutput/ViewModeConfiguratorDiscovererTest.php vendor/horde/core/test/Unit/Factory/TokenServiceFactoryTest.php