Unverified Commit c1635e24 authored by Birte Kristina Friesel's avatar Birte Kristina Friesel
Browse files

use a separate bad_request page for CSRF errors

parent 8cef56a9

lib/Travelynx/Controller/Account.pm

+46 −21
Original line number Diff line number Diff line
@@ -247,8 +247,9 @@ sub do_login { 


	if ( $self->validation->csrf_protect->has_error('csrf_token') ) {

		$self->render(

			'login',

			invalid => 'csrf',

			'bad_request',

			csrf   => 1,

			status => 400

		);

	}

	else {
@@ -288,8 +289,9 @@ sub register { 


	if ( $self->validation->csrf_protect->has_error('csrf_token') ) {

		$self->render(

			'register',

			invalid => 'csrf',

			'bad_request',

			csrf   => 1,

			status => 400

		);

		return;

	}
@@ -345,8 +347,9 @@ sub register { 
		# a human user should take at least five seconds to fill out the form.

		# Throw a CSRF error at presumed spammers.

		$self->render(

			'register',

			invalid => 'csrf',

			'bad_request',

			csrf   => 1,

			status => 400

		);

		return;

	}
@@ -408,8 +411,11 @@ sub delete { 
	my ($self) = @_;

	my $uid = $self->current_user->{id};

	if ( $self->validation->csrf_protect->has_error('csrf_token') ) {

		$self->flash( invalid => 'csrf' );

		$self->redirect_to('account');

		$self->render(

			'bad_request',

			csrf   => 1,

			status => 400

		);

		return;

	}
@@ -436,7 +442,11 @@ sub delete { 
sub do_logout {

	my ($self) = @_;

	if ( $self->validation->csrf_protect->has_error('csrf_token') ) {

		$self->render( 'login', invalid => 'csrf' );

		$self->render(

			'bad_request',

			csrf   => 1,

			status => 400

		);

		return;

	}

	$self->logout;
@@ -503,8 +513,9 @@ sub social { 
	if ( $self->param('action') and $self->param('action') eq 'save' ) {

		if ( $self->validation->csrf_protect->has_error('csrf_token') ) {

			$self->render(

				'social',

				invalid => 'csrf',

				'bad_request',

				csrf   => 1,

				status => 400

			);

			return;

		}
@@ -724,8 +735,9 @@ sub profile { 
	if ( $self->param('action') and $self->param('action') eq 'save' ) {

		if ( $self->validation->csrf_protect->has_error('csrf_token') ) {

			$self->render(

				'edit_profile',

				invalid => 'csrf',

				'bad_request',

				csrf   => 1,

				status => 400

			);

			return;

		}
@@ -908,8 +920,9 @@ sub change_mail { 
	if ( $action and $action eq 'update_mail' ) {

		if ( $self->validation->csrf_protect->has_error('csrf_token') ) {

			$self->render(

				'change_mail',

				invalid => 'csrf',

				'bad_request',

				csrf   => 1,

				status => 400

			);

			return;

		}
@@ -967,9 +980,9 @@ sub change_name { 
	if ( $action and $action eq 'update_name' ) {

		if ( $self->validation->csrf_protect->has_error('csrf_token') ) {

			$self->render(

				'change_name',

				name    => $old_name,

				invalid => 'csrf',

				'bad_request',

				csrf   => 1,

				status => 400

			);

			return;

		}
@@ -1033,7 +1046,11 @@ sub change_password { 
	my $password2    = $self->req->param('newpw2');



	if ( $self->validation->csrf_protect->has_error('csrf_token') ) {

		$self->render( 'change_password', invalid => 'csrf' );

		$self->render(

			'bad_request',

			csrf   => 1,

			status => 400

		);

		return;

	}
@@ -1074,7 +1091,11 @@ sub request_password_reset { 


	if ( $self->param('action') and $self->param('action') eq 'initiate' ) {

		if ( $self->validation->csrf_protect->has_error('csrf_token') ) {

			$self->render( 'recover_password', invalid => 'csrf' );

			$self->render(

				'bad_request',

				csrf   => 1,

				status => 400

			);

			return;

		}
@@ -1131,7 +1152,11 @@ sub request_password_reset { 
		my $password2 = $self->param('newpw2');



		if ( $self->validation->csrf_protect->has_error('csrf_token') ) {

			$self->render( 'set_password', invalid => 'csrf' );

			$self->render(

				'bad_request',

				csrf   => 1,

				status => 400

			);

			return;

		}

		if (

lib/Travelynx/Controller/Api.pm

+5 −1
Original line number Diff line number Diff line
@@ -567,7 +567,11 @@ sub import_v1 { 
sub set_token {

	my ($self) = @_;

	if ( $self->validation->csrf_protect->has_error('csrf_token') ) {

		$self->render( 'account', invalid => 'csrf' );

		$self->render(

			'bad_request',

			csrf   => 1,

			status => 400

		);

		return;

	}

	my $token    = make_token();

lib/Travelynx/Controller/Traewelling.pm

+3 −2
Original line number Diff line number Diff line
@@ -15,8 +15,9 @@ sub settings { 
		and $self->validation->csrf_protect->has_error('csrf_token') )

	{

		$self->render(

			'traewelling',

			invalid => 'csrf',

			'bad_request',

			csrf   => 1,

			status => 400

		);

		return;

	}

lib/Travelynx/Controller/Traveling.pm

+3 −4
Original line number Diff line number Diff line
@@ -1529,10 +1529,9 @@ sub visibility_form { 
	if ( $action eq 'save' ) {

		if ( $self->validation->csrf_protect->has_error('csrf_token') ) {

			$self->render(

				'edit_visibility',

				error      => 'csrf',

				user_level => $user_level,

				journey    => {}

				'bad_request',

				csrf   => 1,

				status => 400

			);

		}

		elsif ( $dep_ts and $dep_ts != $status->{sched_departure}->epoch ) {

templates/_invalid_input.html.ep

+1 −8
Original line number Diff line number Diff line
@@ -2,14 +2,7 @@ 
	<div class="col s12">

		<div class="card caution-color">

			<div class="card-content white-text">

				% if ($invalid eq 'csrf') {

					<span class="card-title">Ungültiger CSRF-Token</span>

					<p>Sind Cookies aktiviert? Ansonsten könnte es sich um einen

					Fall von <a

					href="https://de.wikipedia.org/wiki/Cross-Site-Request-Forgery">CSRF</a>

					handeln.</p>

				% }

				% elsif ($invalid eq 'credentials') {

				% if ($invalid eq 'credentials') {

					<span class="card-title">Ungültige Logindaten</span>

					<p>Falscher Account oder falsches Passwort.</p>

				% }