All geek questions in one place

Magento CSRF Protection

I look at custom forms in Magento. I saw these tutorials

http://fastdivision.com/2012/03/29/diy-magento-create-ajax-login-registration-forms-for-your-magento-theme/

http://inchoo.net/ecommerce/magento/magento-email/magento-custom-email-contact-form-with-notification-system/

I did not see any mention of CSRF prevention, for example, I checked the client token with the one saved in the user session. I also looked in the form of Magento Contact Us and saw this, but I don't think this applies to CSRF:

<input type="text" name="hideit" id="hideit" value="" style="display:none !important;">

Does Magento have a default code to prevent CSRF? Does the $ this-> getRequest () → getParams () method of Mage_Core_Controller_Front_Action use something automatically to prevent a CSRF that might be missing?

+6
source share
2 answers

At the end programmer, the user can use their own CSFR / nonce protection scheme if they do not create the page / form in the administrator console. By default, this Magento admin console application has this protection for all of its pages / URLs.

Check _validateSecretKey in app/code/core/Mage/Adminhtml/Controller/Action.php and getSecretKey in app/code/core/Mage/Adminhtml/Model/Url.php . This can be easily extended to your own forms on the interface.

+5
source

In fact, in Magento you can use the CSRF token validation interface, which you can use to add a unique session-based form key to your custom form and verify this in the controller action.

To submit a CSRF form key with a request when submitting a form, insert the code <?php echo $this->getBlockHtml('formkey') ?> In the form body.

This will create this input: <input type="hidden" value="unique16codehere" name="form_key"> . To verify the key, use the _validateFormKey() method in the corresponding controller action.

+7
source

Source: https://habr.com/ru/post/927981/

More articles:


All Articles