More relevant comments for CSRF behaviour

2026-03-28 17:42:41 +01:00 · 2016-09-29 19:49:49 +01:00
parent a9a7f17910
commit f387dc56c0
1 changed files with 4 additions and 2 deletions
--- a/src/WebModules.cpp
+++ b/src/WebModules.cpp
@@ -647,14 +647,15 @@ CWebSock::EPageReqResult CWebSock::OnPageRequestInternal(const CString& sURI,
        return PAGE_DONE;
    }

-    // Check that they really POSTed from one our forms by checking if they
+    // For pages *not provided* by modules, a CSRF check is performed which involves:
+    // Ensure that they really POSTed from one our forms by checking if they
    // know the "secret" CSRF check value. Don't do this for login since
    // CSRF against the login form makes no sense and the login form does a
    // cookies-enabled check which would break otherwise.
    // Don't do this, if user authenticated using http-basic auth, because:
    // 1. they obviously know the password,
    // 2. it's easier to automate some tasks e.g. user creation, without need to
-    // care about cookies and csrf
+    //    care about cookies and CSRF
    if (IsPost() && !m_bBasicAuth && !sURI.StartsWith("/mods/") &&
        !ValidateCSRFCheck(sURI)) {
        DEBUG("Expected _CSRF_Check: " << GetCSRFCheck());
@@ -804,6 +805,7 @@ CWebSock::EPageReqResult CWebSock::OnPageRequestInternal(const CString& sURI,
        if (!pModule) return PAGE_NOTFOUND;

        // Pass CSRF check to module.
+        // Note that the normal CSRF checks are not applied to /mods/ URLs.
        if (IsPost() && !m_bBasicAuth &&
            !pModule->ValidateWebRequestCSRFCheck(*this, m_sPage)) {
            DEBUG("Expected _CSRF_Check: " << GetCSRFCheck());