solved jrCore_validate_location_url

SteveX
SteveX
@ultrajam
10 years ago
2,583 posts
I have a delete button which is not on a profile, it is in a module view.

The delete fails on jrCore_validate_location_url(); so I’ve temporarily copied that function to ujModule_validate_location_url(); whilst figuring out why. If I comment out the validate_location_url check everything works fine, but it looks like I need a check for CSRF purposes?

It fails because $_COOKIE['jr_location_url'] {1} doesn’t exist. $_COOKIE looks like this:
Quote: (2014-02-13T13:09:09+00:00 0.07493000)-(mem: 9699328)-(pid: 31410)-(uri: /mymodule/section_delete/id=14)
Array
(
[sessb00dfd089f00] => d1i2n3fop8tuvg675r821qv5g7
[autob00dfd089f00] => 1-d2128387086991cc3398b8310c732a9d
)
Is jr_location_url missing because I am not on a profile?

How do I get jr_location_url into the cookie? Or should I be looking at another way around?

Thanks!


The delete function and jrCore_validate_location_url functions pasted below, but they are standard.

//------------------------------
// section_delete
//------------------------------
function view_ujModule_section_delete($_post, $_user, $_conf)
{ // Must be logged in jrUser_session_require_login(); ujModule_validate_location_url(); jrUser_check_quota_access('ujModule'); // Make sure we get a good id if (!isset($_post['id']) || !jrCore_checktype($_post['id'], 'number_nz')) { jrCore_notice_page('error', 'Invalid ID'); jrCore_form_result('referrer'); } $_rt = jrCore_db_get_item('ujModule', $_post['id']); // Make sure the calling user has permission to delete this item if (!jrUser_can_edit_item($_rt)) { jrUser_not_authorized(); } jrCore_db_delete_item('ujModule', $_post['id']); jrProfile_reset_cache(); jrCore_form_result('delete_referrer'); }

/**
 * Validate a window.location redirect URL has been set for CSRF purposes
 * @return bool
 */
function ujModule_validate_location_url(){
fdebug($_COOKIE,$_SERVER);
    if (isset($_COOKIE['jr_location_url']{1})) {
        // Make sure we've come from the correct URL
        if (!strpos($_COOKIE['jr_location_url'], $_SERVER['REQUEST_URI'])) {
            // Check QUERY_STRING - normally this is not needed, but on some
            // redirects the params can get double encoded - QUERY_STRING will have it right
            // [QUERY_STRING] => _uri=networklicense/host_remove/aHR0cDovL3d3dy5wcm94aW1hY29yZS5jb20%253D
            if (isset($_SERVER['QUERY_STRING']) && strpos($_SERVER['QUERY_STRING'], '_uri=') === 0) {
                list(, $uri) = explode('=', $_SERVER['QUERY_STRING']);
                if (strpos($_COOKIE['jr_location_url'], $uri)) {
                    return true;
                }
            }
            jrCore_notice_page('error', 'invalid location redirect token received - please try again');
            return false;
        }
        return true;
    }
    jrCore_notice_page('error', 'invalid location redirect token received - please try again (2)');
    return false;
}



--
¯\_(ツ)_/¯ Education, learning resources, TEL, AR/VR/MR, CC licensed content, panoramas, interactive narrative, sectional modules (like jrDocs), lunch at Uni of Bristol. Get in touch if you share my current interests or can suggest better :)

updated by @ultrajam: 03/19/14 02:33:05AM
brian
@brian
10 years ago
10,136 posts
Yeah - it's failing since the CSRF cookie is not present - to get it working all you need to do is make sure your button (or link or whatever) you are linking to this action goes through jrCore_window_location - i.e.

<a onclick="jrCore_window_location('your delete url');">Click here to delete it</a>

The jrCore_window_location ensures the destination URL was reached from the correct action and not as part of a CSRF attack.

Hope this helps!


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net
SteveX
SteveX
@ultrajam
10 years ago
2,583 posts
That works perfectly. Thanks Brian!


--
¯\_(ツ)_/¯ Education, learning resources, TEL, AR/VR/MR, CC licensed content, panoramas, interactive narrative, sectional modules (like jrDocs), lunch at Uni of Bristol. Get in touch if you share my current interests or can suggest better :)

Tags