Ticket #8176 (closed Bug: fixed)

Opened 4 years ago

Last modified 4 years ago

plone.session raises "form authenticator is invalid" exception on secret management

Reported by: pjnaylor Owned by: witsch
Priority: major Milestone: 3.1
Component: Infrastructure Keywords: csrf hotfix
Cc:

Description (last modified by witsch) (diff)

With a fresh install of Plone 3.1.1, going to /SiteName/acl_users/session/manage_secret in the ZMI and clicking on the "New secret" button, results in an exception of type "Forbidden", and value "Form Authenticator is invalid". The traceback is: 

Module ZPublisher.Publish, line 119, in publish
Module ZPublisher.mapply, line 88, in mapply
Module ZPublisher.Publish, line 42, in call_object
Module <string>, line 4, in _facade
Module plone.protect.utils, line 32, in _curried
Module plone.protect.authenticator, line 60, in check

Clicking on the "Clear secrets" button results in the same problem, with an almost identical trace back (line 6 in _facade, rather than line 4).

Change History

comment:1 Changed 4 years ago by limi

  • Owner changed from somebody to witsch

Seems like we missed this form. Andi, can you take a look?

comment:2 follow-up: ↓ 6 Changed 4 years ago by hannosch

I suspect what happens on these forms is a bit more special. My guess is that they are protected, but both of them change the underlying key, which the authenticator is based upon. If the key is changed in the request before the authenticator is checked, you get an invalid authenticator, as it is not based on the new key.

Not sure about the order in which updating and validating happens here, maybe that can be changed, otherwise they need to except an authenticator based on an old key if that is possible or the authenticator be removed.

comment:3 Changed 4 years ago by hannosch

s/except/accept/

comment:4 Changed 4 years ago by witsch

  • Keywords csrf hotfix added
  • Status changed from new to assigned
  • Priority changed from minor to major
  • Description modified (diff)
  • Milestone changed from 3.x to 3.1

fix description (ReSt) and properties first...

comment:5 Changed 4 years ago by witsch

  • Status changed from assigned to closed
  • Resolution set to fixed

(In [21086]) add  csrf protection to PAS session plugin form used for managing server secrets (fixes #8176)

comment:6 in reply to: ↑ 2 Changed 4 years ago by witsch

Replying to hannosch:

I suspect what happens on these forms is a bit more special. My guess is that they are protected, but both of them change the underlying key, which the authenticator is based upon. If the key is changed in the request before the authenticator is checked, you get an invalid authenticator, as it is not based on the new key.

just fyi, it's not changed before it's checked. the decorator (well, still a monkey patch atm, but now that the decorator is actually working that can be fixed as well) checks the token before the function is invoked, of course. the other way round doesn't really make sense, since that would allow an attacker to actually do something "useful" before the protection kicks in, wouldn't it? :)

Note: See TracTickets for help on using tickets.