Skip to content

Do not clear CSRF token on logout (fix for #1303)#3832

Merged
rullzer merged 1 commit intomasterfrom
fix_1303
Mar 30, 2017
Merged

Do not clear CSRF token on logout (fix for #1303)#3832
rullzer merged 1 commit intomasterfrom
fix_1303

Conversation

@rullzer
Copy link
Member

@rullzer rullzer commented Mar 13, 2017
edited by GitHubUser4234
Loading

This is a hacky way to allow the use case of #1303.

What happens is

  1. User tries to login
  2. PreLoginHook kicks in and figures out that the user need to change
    their LDAP password or whatever => redirects user
  3. While loading the redirect some logic of ours kicks in and logouts
    the user (thus clearing the session).
  4. We render the new page but now the session and the page disagree
    about the CSRF token

This is kind of hacky but I don't think it introduces new attack
vectors.

TODO:

  • Intergration tests

@GitHubUser4234 can you verify this fixes the issue?
@LukasReschke I hope it does not make your eyes bleed to much.... 🙈

@rullzer
Do not clear CSRF token on logout (fix for #1303)
bb94b39 
This is a hacky way to allow the use case of #1303.

What happens is

1. User tries to login
2. PreLoginHook kicks in and figures out that the user need to change
their LDAP password or whatever => redirects user
3. While loading the redirect some logic of ours kicks in and logouts
the user (thus clearing the session).
4. We render the new page but now the session and the page disagree
about the CSRF token

This is kind of hacky but I don't think it introduces new attack
vectors.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
@rullzer rullzer added this to the Nextcloud 12.0 milestone Mar 13, 2017
@mention-bot
Copy link

mention-bot commented Mar 13, 2017

@rullzer, thanks for your PR! By analyzing the history of the files in this pull request, we identified @LukasReschke, @nickvergessen and @ChristophWurst to be potential reviewers.

GitHubUser4234
GitHubUser4234 reviewed Mar 14, 2017
View reviewed changes
Copy link
Contributor

@GitHubUser4234 GitHubUser4234 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to fix it, thanks for hacking :))

@rullzer
Copy link
Member Author

rullzer commented Mar 14, 2017

@LukasReschke I've looked into it but can't really think of sane integration tests... suggestions?

@GitHubUser4234
Copy link
Contributor

GitHubUser4234 commented Mar 21, 2017

@LukasReschke Your green light is really appreciated, as when this is solved it allows the review of #1023 to start, thanks a lot :)

@rullzer rullzer added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Mar 30, 2017
@rullzer rullzer merged commit 548871a into master Mar 30, 2017
@rullzer rullzer deleted the fix_1303 branch March 30, 2017 16:25
@rullzer rullzer mentioned this pull request Mar 30, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GitHubUser4234 GitHubUser4234 GitHubUser4234 left review comments

@LukasReschke LukasReschke LukasReschke approved these changes

Assignees

No one assigned

Labels

3. to review Waiting for reviews bug enhancement security

Projects

None yet

Milestone

Nextcloud 12.0

Development

Successfully merging this pull request may close these issues.

5 participants

@rullzer @mention-bot @GitHubUser4234 @LukasReschke @nickvergessen