[cgiapp] CAP::Security::CSRF -- useful?
Mark Rajcok
mrajcok at gmail.com
Sat Dec 5 01:01:24 EST 2009
To complete this one-man dialogue, the code below seems to work well, but I
had to change the if statement to
if(defined $self->{'__DFV_RESULT'}) {
to guard against a scenario where CAP::ValidateRM is loaded, but neither
check_rm() nor validate_rm() was called (i.e., ValidateRM was not used to
validate the form). In this scenario, dfv_results() calls 'die' -- not
good.
I assume this is a bit chummy -- a module shouldn't be looking at another
module's "private" data -- but there is no method in CAP::ValidateRM that
indicates if check_rm() or validate_rm() was called.
I ended up writing my own CSRF Plugin. It borrows some good ideas from
ProtectCSRF in that it uses attribute handlers and adds the hidden form
field to the HTML. If I ever decide to put it up on CPAN, maybe then I'd
ask Mark S. to add a new method to CAP::ValidateRM.
-- Mark
On Thu, Dec 3, 2009 at 9:29 PM, Mark Rajcok <mrajcok at gmail.com> wrote:
> A possible solution: the postrun callback for ProtectCSRF runmodes could
> be enhanced to detect that ValidateRM was used, and that there were errors
> on the form. Something like this:
>
> if($self->can('dfv_results')) { # hmm, using CAP::ValidateRM
> my $r = $self->dfv_results;
> if($r->has_missing or $r->has_invalid) {
> # the form has errors, assume we need to generate an new CSRF
> token:
> # ... code here to generate a new token and add it to the HTML
> ...
>
More information about the cgiapp
mailing list