[cgiapp] CAP::Security::CSRF -- useful?

Mark Rajcok mrajcok at gmail.com
Sat Dec 5 01:01:24 EST 2009


To complete this one-man dialogue, the code below seems to work well, but I
had to change the if statement to
   if(defined $self->{'__DFV_RESULT'}) {
to guard against a scenario where CAP::ValidateRM is loaded, but neither
check_rm() nor validate_rm() was called (i.e., ValidateRM was not used to
validate the form).  In this scenario, dfv_results() calls 'die' -- not
good.

I assume this is a bit chummy -- a module shouldn't be looking at another
module's "private" data -- but there is no method in CAP::ValidateRM that
indicates if check_rm() or validate_rm() was called.

I ended up writing my own CSRF Plugin.  It borrows some good ideas from
ProtectCSRF in that it uses attribute handlers and adds the hidden form
field to the HTML.  If I ever decide to put it up on CPAN, maybe then I'd
ask Mark S. to add a new method to CAP::ValidateRM.

-- Mark

On Thu, Dec 3, 2009 at 9:29 PM, Mark Rajcok <mrajcok at gmail.com> wrote:

> A possible solution:  the postrun callback for ProtectCSRF runmodes could
> be enhanced to detect that ValidateRM was used, and that there were errors
> on the form. Something like this:
>
>     if($self->can('dfv_results')) {  # hmm, using CAP::ValidateRM
>         my $r = $self->dfv_results;
>         if($r->has_missing or $r->has_invalid) {
>             #  the form has errors, assume we need to generate an new CSRF
> token:
>             # ... code here to generate a new token and add it to the HTML
> ...
>


More information about the cgiapp mailing list