Defect #9239
closed
autenticity_token is not checked properly
100%
Description
I'm afraid that auhtenticity_token is not checked properly. E.g. While submitting a user change I stop the submitting using Tamper Data Firefox plugin and change authenticity_token or remove the value of authenticity_token completely. To check the Redmine behaviour I change form value admin = 1 in Tamper Data. Althought authenticity_token is not equal to the original value sent from the server, the request is successfully processed. The user got Administrator role and only after that is the user logged out because of wrong authenticity_token.
I'd expect this procedure:- Check authenticity_token
- If it's OK then process the request
- If not then deny to process the request
I've tried to document the test on attached screen shots:
Step 1: Edit a user
Step 2: Stop execution and alter sent data(admin flag and authenticity_token)
Step 3About your application's environment
Ruby version 1.8.7 (x86_64-linux)
RubyGems version 1.3.7
Rack version 1.1.2
Rails version 2.3.11
Active Record version 2.3.11
Active Resource version 2.3.11
Action Mailer version 2.3.11
Active Support version 2.3.11
Edge Rails revision unknown
Application root /home/picman/tmp/redmine-1.2.1
Environment production
Database adapter mysql
Database schema version 20110511000000: Submit the request
Step 4: We can see, that the user was promoted to administrator.
Clear installation without any changes or additional plugins. The same problem in version 1.2.0.
Files
Related issues
Updated by 
Updated by 
Updated by 
