autenticity_token is not checked properly
|Category:||Accounts / authentication|
I'm afraid that auhtenticity_token is not checked properly. E.g. While submitting a user change I stop the submitting using Tamper Data Firefox plugin and change authenticity_token or remove the value of authenticity_token completely. To check the Redmine behaviour I change form value admin = 1 in Tamper Data. Althought authenticity_token is not equal to the original value sent from the server, the request is successfully processed. The user got Administrator role and only after that is the user logged out because of wrong authenticity_token.I'd expect this procedure:
- Check authenticity_token
- If it's OK then process the request
- If not then deny to process the request
I've tried to document the test on attached screen shots:
Step 1: Edit a user
Step 2: Stop execution and alter sent data(admin flag and authenticity_token)
Step 3About your application's environment
Ruby version 1.8.7 (x86_64-linux)
RubyGems version 1.3.7
Rack version 1.1.2
Rails version 2.3.11
Active Record version 2.3.11
Active Resource version 2.3.11
Action Mailer version 2.3.11
Active Support version 2.3.11
Edge Rails revision unknown
Application root /home/picman/tmp/redmine-1.2.1
Database adapter mysql
Database schema version 20110511000000: Submit the request
Step 4: We can see, that the user was promoted to administrator.
Clear installation without any changes or additional plugins. The same problem in version 1.2.0.
#3 Updated by Karel Pičman over 10 years ago
Yes. The user profile is updated first and only after that is the authenticity token checked. The authenticity token must be checked always first otherwise authenticity principle is useless in my opinion.
In case of wrong authenticity token no data can be changed.
#4 Updated by Felix Schäfer over 10 years ago
I think it's been corrected in trunk http://www.redmine.org/projects/redmine/repository/diff?rev=6316&rev_to=6314 , can't find any issue for it though. Could you try it on trunk?