Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handle the CSRF vulnerability #230

Merged
merged 6 commits into from
Sep 1, 2015
Merged

Conversation

ianchanning
Copy link
Contributor

The WordPress vulnerability seems valid. I have added in a nonce to prevent CSRF attacks. I've currently only tested on my local Windows machine in Firefox.

  1. I've tested using the attack suggested by WordPress of POSTing a form with buried Javascript - this would work on the v3.4.4 plugin as it would run the Javascript
  2. Now the plugin will give the standard 'Are you sure you want to do this?' if the form is POSTed without the nonce
  3. I've tested that changing the default language and re-submitting still works correctly
  4. I've tested that the Edit Language form still works (this doesn't have a nonce on it as POSTed values aren't inserted)
  5. I've tested that the Add Language form will generate errors correctly
  6. I've tested that a Language can be successfully added
  7. I made a tweak to the submit button classes for the Add / Edit language forms to put the current WordPress submit button styles on them
  8. I've updated the version numbers to 3.4.5 and created a tag

Ian Channing added 5 commits August 26, 2015 04:48
1. In admin/qtx_admin_utils.php, new function qtranxf_verify_nonce to check if the form has been submitted from within the admin area
2. In admin/qtx_configuration.php, call the qtranxf_verify_nonce function and set the nonce hidden fields for the configuration form
@ianchanning
Copy link
Contributor Author

I've now also included the bug fix to remove the deprecated warning in #226

@ianchanning
Copy link
Contributor Author

This is to fix #222

johnclause added a commit that referenced this pull request Sep 1, 2015
Handle the CSRF vulnerability
@johnclause johnclause merged commit 758f825 into qTranslate-Team:master Sep 1, 2015
@johnclause
Copy link
Member

Thank you, @ianchanning , I have already checked in the fix for security problem, it is being reviewed right now hopefully, but all your changes are very helpful as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants