details about CSRF

Pierrick Le Gall
2023-05-12 09:48:53 +02:00
parent 093556d057
commit 70784e3993
+32 -3
@@ -39,7 +39,17 @@ If the user input variable doesn't exist or matches the expected pattern, nothin
When to use `check_input_parameter`? On absolutely **every user input when the expected pattern is known**.
What if we don't have a pattern to check? For example, if you update the title of a photo, you don't have any pattern de match. This time the solution is to "escape" the variable before using it, with the `pwg_db_real_escape_string` function.
What if we don't have a pattern to check? For example, see this example:
```php
$query = '
DELETE FROM '.OLD_PERMALINKS_TABLE.'
WHERE permalink=\''.$_GET['delete_permanent'].'\'
LIMIT 1
;';
```
Here you have no pattern to match, you don't know what's coming in `$_GET['delete_permanent']`. The problem is that it could countain something like `whatever'; DELETE FROM users WHERE username != '`; This time the solution is to "escape" the variable before using it, with the `pwg_db_real_escape_string` function.
```php
$query = '
@@ -55,5 +65,24 @@ TODO explain what it is, when it's a problem and when it's not a problem but a f
## CSRF
TODO explain what a CSRF is
TODO explain how `pwg_token` protects from CSRF attacks
Read a full explanation on [CSRF on Wikipedia](https://en.wikipedia.org/wiki/Cross-site_request_forgery). Also an explanation, but in pictures on [CSRF on PortSwigger](https://portswigger.net/web-security/csrf)
So in Piwigo we have implemented the `pwg_token` solution. Here is how it works. First in the form:
```
<input type="hidden" name="pwg_token" value="{$PWG_TOKEN}">
```
In the PHP, you send the template variable like this:
```
$template->assign('PWG_TOKEN', get_pwg_token());
```
And this is how you check the token is valid when submitting the form:
```
check_pwg_token();
```
You will find many use case in Piwigo code. Now you know how to use the `pwg_token`, you need to know "when" to use it: everywhere you delete data or edit data. If you want to make things even more secure you can use `pwg_token` on data creation too.