8000 Check token before logging the backend user out by carakas · Pull Request #3471 · forkcms/forkcms · GitHub
[go: up one dir, main page]
Skip to content

Check token before logging the backend user out#3471

Merged
carakas merged 1 commit intomasterfrom
check-token-on-logout
Oct 14, 2021
Merged

Check token before logging the backend user out#3471
carakas merged 1 commit intomasterfrom
check-token-on-logout

Conversation

@carakas
Copy link
Member
@carakas carakas commented Oct 14, 2021
edited
Loading

Type

  • Security

Pull request description

Check the csrf token before executing the backend logout

Prevents things like

<html>
 <script>history.pushState('', '', '/')</script>
   <form action="https://demo.fork-cms.com/private/en/authentication/logout">
     <input type="submit" value="Submit request" />
   </form>
   <script>
     document.forms[0].submit();
   </script>
 </body>
</html>

@carakas carakas added the security Pull requests that address a security vulnerability label Oct 14, 2021
@carakas carakas added this to the 5.11.0 milestone Oct 14, 2021
@carakas carakas requested a review from a team October 14, 2021 12:07
@codecov
Copy link
codecov bot commented Oct 14, 2021

Codecov Report

Merging #3471 (187b2de) into master (7a30e1d) will decrease coverage by 0.00%.
The diff coverage is 100.00%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master    #3471      +/-   ##
============================================
- Coverage     27.88%   27.88%   -0.01%     
  Complexity     8145     8145              
============================================
  Files           575      575              
  Lines         30690    30691       +1     
============================================
- Hits           8558     8557       -1     
- Misses        22132    22134       +2
Flag Coverage Δ
functional 23.78% <100.00%> (-0.01%) ⬇️
installer 3.84% <0.00%> (-0.01%) ⬇️
unit 7.69% <100.00%> (+0.05%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
.../Backend/Modules/Authentication/Actions/Logout.php 60.00% <100.00%> (-40.00%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7a30e1d...187b2de. Read the comment docs.

@carakas carakas merged commit ead48a8 into master Oct 14, 2021
@carakas carakas deleted the check-token-on-logout branch October 14, 2021 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jessedobbelaere jessedobbelaere jessedobbelaere approved these changes

Assignees

No one assigned

Labels

hacktoberfest-accepted security Pull requests that address a security vulnerability

Projects

None yet

Milestone

5.11.0

Development

Successfully merging this pull request may close these issues.

2 participants

@carakas @jessedobbelaere
0