https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292011-10-05T14:13:52ZRedmineRedmine - Defect #9239: autenticity_token is not checked properlyhttps://www.redmine.org/issues/9239?journal_id=326892011-10-05T14:13:52ZKarel Pičman
<ul></ul><p>Is there any chance that somebody will look at this issue? I'm afraid that it has impact on security of each Redmine instance installed on the Internet.</p> Redmine - Defect #9239: autenticity_token is not checked properlyhttps://www.redmine.org/issues/9239?journal_id=326912011-10-05T15:02:15ZFelix Schäfer
<ul></ul><p>So you're logged in as an admin and can change things with a wrong authenticity token, or what seems to be the problem?</p> Redmine - Defect #9239: autenticity_token is not checked properlyhttps://www.redmine.org/issues/9239?journal_id=326922011-10-05T15:09:39ZKarel Pičman
<ul></ul><p>Yes. The user profile is updated first and only after that is the authenticity token checked. The authenticity token must be checked always first otherwise authenticity principle is useless in my opinion. <br />In case of wrong authenticity token no data can be changed.</p> Redmine - Defect #9239: autenticity_token is not checked properlyhttps://www.redmine.org/issues/9239?journal_id=326942011-10-05T15:27:41ZFelix Schäfer
<ul></ul><p>I think it's been corrected in trunk <a class="external" href="http://www.redmine.org/projects/redmine/repository/diff?rev=6316&rev_to=6314">http://www.redmine.org/projects/redmine/repository/diff?rev=6316&rev_to=6314</a> , can't find any issue for it though. Could you try it on trunk?</p> Redmine - Defect #9239: autenticity_token is not checked properlyhttps://www.redmine.org/issues/9239?journal_id=326982011-10-05T16:42:17ZFelix Schäfer
<ul></ul><p>(for the record, it's been fixed and released in Chiliproject about 2 months ago in <a href="http://blog.chiliproject.org/releases/chiliproject-2-1-0-released/" class="external">2.1.0</a> and <a href="http://blog.chiliproject.org/releases/chiliproject-1-5-1-released/" class="external">1.5.1</a> </shameless plug>)</p> Redmine - Defect #9239: autenticity_token is not checked properlyhttps://www.redmine.org/issues/9239?journal_id=327102011-10-06T09:20:05ZKarel Pičman
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Resolved</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Works fine in the current trunk. Thank you.</p> Redmine - Defect #9239: autenticity_token is not checked properlyhttps://www.redmine.org/issues/9239?journal_id=327122011-10-06T09:28:37ZEtienne Massip
<ul><li><strong>Status</strong> changed from <i>Resolved</i> to <i>Closed</i></li><li><strong>Resolution</strong> set to <i>Fixed</i></li></ul><p>Thanks for your feedback.</p>