View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 6
IDProjectCategoryView StatusDate SubmittedLast Update
19220Bug reportsRemoteControlpublic2023-11-04 03:252023-11-08 16:55
Reporterchimp358 Assigned Togabrieljenik  
PriorityhighSeverityblock 
Status closedResolutionduplicate 
Product Version6.3.x 
Summary19220: CSRF validation changes in master introduce breaking change
Description

The changes made the RemoteControl route admin/remotecontrol no longer skip CSRF validation.

Steps To Reproduce

Steps to reproduce

Try using any RemoteControl method, like get_session_key

Expected result

An RPC response.

Actual result

HTTP 400 Error.

TagsNo tags attached.
Bug heat6
Complete LimeSurvey version number (& build)6.3.2
I will donate to the project if issue is resolvedNo
Browser
Database type & versionPostgreSQL 14
Server OS (if known)
Webserver software & version (if known)
PHP Version8.0

Users monitoring this issue

mfavetti

Activities

mfavetti

mfavetti

2023-11-04 07:16

developer   ~78268

someone made PR: https://github.com/LimeSurvey/LimeSurvey/pull/3599
mfavetti

mfavetti

2023-11-04 07:25

developer   ~78269

regression caused by commit 70b09896e023d919791b0b5bb8bc345eee1b98ac (@gabrieljenik)

the suggestion in the PR to change the route in the skip csrf validation route list from "remotecontrol" to "admin/remotecontrol" only fixes routing by get, routing by path would need "/admin/remotecontrol" to be added also. Alternatively, the preg_match could be adjusted to handle both types of routing (leading slash is present on path, but not get) or somehow normalize the leading slash between the two routing methods before the check.

the added unit tests didn't catch this because they don't use the actual path for remotecontrol, they reused the rule from the skip csrf validation route list (also noted in the PR) the previous behavior just matched the skip rule anywhere in the route (which I think was the security issue the offending commit was trying to mitigate)
mfavetti

mfavetti

2023-11-04 07:30

developer   ~78270

i change to block and put high priority

I hope this is can be reverted/fixed before the next release in a couple days as it prevents remotecontrol rpc from working at all (rest/plugin might also be affected but I'm not sure)
mfavetti

mfavetti

2023-11-04 21:46

developer   ~78271

ok rest does work with new preg_match using path routing (rest doesn't seem to work with get routing at all anyways... 500 errors, and it's experimental so shrug)

for some reason /admin/remotecontrol comes through as /admin/remotecontrol but /rest/v1/session comes back as rest/v1/session (leading slash is not consistent)

I don't know about the plugin/unsecure route, not sure how to test that
gabrieljenik

gabrieljenik

2023-11-06 12:52

manager   ~78280

I would just reopen #19139.
Revert the PRs.
Review the whole situation with out having to worry about tomorrows release.
gabrieljenik

gabrieljenik

2023-11-08 16:55

manager   ~78341

Closed in favor of #19139.

Issue History

Date Modified Username Field Change
2023-11-04 03:25 chimp358 New Issue
2023-11-04 07:16 mfavetti Note Added: 78268
2023-11-04 07:16 mfavetti Bug heat 0 => 2
2023-11-04 07:25 mfavetti Note Added: 78269
2023-11-04 07:29 mfavetti Priority none => high
2023-11-04 07:29 mfavetti Severity partial_block => block
2023-11-04 07:30 mfavetti Note Added: 78270
2023-11-04 21:46 mfavetti Note Added: 78271
2023-11-06 12:52 gabrieljenik Note Added: 78280
2023-11-06 12:52 gabrieljenik Bug heat 2 => 4
2023-11-06 14:48 tibor.pacalat Assigned To => gabrieljenik
2023-11-06 14:48 tibor.pacalat Status new => assigned
2023-11-07 23:08 mfavetti Issue Monitored: mfavetti
2023-11-07 23:08 mfavetti Bug heat 4 => 6
2023-11-08 16:55 gabrieljenik Status assigned => closed
2023-11-08 16:55 gabrieljenik Resolution open => duplicate
2023-11-08 16:55 gabrieljenik Note Added: 78341