View Issue Details

IDProjectCategoryView StatusLast Update
12254Bug reports[All Projects] Survey designpublic2017-04-04 11:04
ReporterDenisChenu 
Assigned Toc_schmitz 
PrioritynoneSeverityminor 
Status resolvedResolutionfixed 
Product Version 
Target VersionFixed in Version2.64.x 
Summary12254: CRSF issue on admion after testing a survey
DescriptionWe have CRSF issue on admin part after testing a survey.
Steps To ReproduceOne example :

1. Open a window on 'Browse response'
2. Open a window on "Survey view"
2. Launch a new test
3. This open a new window, where you can do the survey
4. Come back to 'Browse response'
5. Try filter or oprder
5. => Throw a CRSF issue
Additional InformationChild of https://github.com/LimeSurvey/LimeSurvey/commit/e30261b309fb361116dc880ce65cf8eaeaa72758

Maybe regenerateCSRFToken on resetAllSessionVariables [*] only if
- User are not an admin (because then : CRSF already regenerated when log in)

I think some public user open multiple windows too, with this fix : public user see CRSF issue a lot more : i think we MUST improve error page .... see https://github.com/LimeSurvey/LimeSurvey/pull/605

*https://github.com/LimeSurvey/LimeSurvey/commit/e30261b309fb361116dc880ce65cf8eaeaa72758#diff-4f4265af29f654380fbda47407b84a09L1658
TagsNo tags attached.
Complete LimeSurvey version number (& build)2.64.3
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database & DB-Versionnot relevant
Operating System (Server)not relevant
Webserver software & versionnot relevant
PHP Versionnot relevant

Relationships

Activities

DenisChenu

2017-04-04 09:43

developer  

DenisChenu

2017-04-04 09:44

developer   ~43377

Last edited: 2017-04-04 09:45

View 2 revisions

There are a lot of other situation where an admin can open a form + a new survey.

Example "Welcome page construction improvement"
- Open survey edit text
- Click on test survey to see welcome page
- Update welcome text and try to submit

c_schmitz

2017-04-04 10:54

administrator   ~43380

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=22566

DenisChenu

2017-04-04 11:04

developer   ~43381

Thanks :), but still a good idea to regenerate CRSF for public , no ?

Related Changesets

LimeSurvey: master 21cec15d

2017-04-04 10:54:38

c_schmitz

Details Diff
Fixed issue 12254: CSRF issue in admin after testing a survey
mod - application/helpers/frontend_helper.php Diff File

Issue History

Date Modified Username Field Change
2017-04-04 09:43 DenisChenu New Issue
2017-04-04 09:43 DenisChenu Status new => assigned
2017-04-04 09:43 DenisChenu Assigned To => c_schmitz
2017-04-04 09:43 DenisChenu File Added: Capture du 2017-04-04 09-40-45.png
2017-04-04 09:44 DenisChenu Note Added: 43377
2017-04-04 09:45 DenisChenu Note Edited: 43377 View Revisions
2017-04-04 10:54 c_schmitz Changeset attached => LimeSurvey master 21cec15d
2017-04-04 10:54 c_schmitz Note Added: 43380
2017-04-04 10:54 c_schmitz Resolution open => fixed
2017-04-04 10:58 c_schmitz Status assigned => resolved
2017-04-04 10:58 c_schmitz Fixed in Version => 2.64.x
2017-04-04 11:04 DenisChenu Note Added: 43381