> If you submit a form which fails on a constraint other than
> RequestToken, correct the input value, then submit again the second
> submission will fail for the RequestToken constraint.
>
> The Plugin seems to remove the token regardless of whether there are
> other errors in the form or not mea
Hi Rod,
Thanks for the bug reports. I'll have a look at it and try
to smooth things out!
I'll keep you posted.
cheers,
moritz
On Mon, 22 Feb 2010 11:55:43 -0500, Rod Taylor
wrote:
> Took a look and it seems to have a couple of fundamental issues...
__
Took a look and it seems to have a couple of fundamental issues.
If you submit a form which fails on a constraint other than
RequestToken, correct the input value, then submit again the second
submission will fail for the RequestToken constraint.
The Plugin seems to remove the token regardless of
Not FormFu itself but I thought the Catalyst FormFu controller might
have something like this implemented; particularly since it is a full
blown controller extension and not just a MooseRole.
The token mentioned in another message looks like a much better mechanism.
On Sat, Feb 20, 2010 at 19:22,
The only way to prevent CSRF attacks is to use one-time tokens.
Catalyst::Controller::HTML::FormFu supports that already. Have a look at
http://search.cpan.org/~cfranks/Catalyst-Controller-HTML-FormFu-0.06001/lib/Catalyst/Controller/HTML/FormFu.pm#request_token_enable.
Don't rely on the referrer
Hello Rod,
As for me, used HTTP method is part of HTTP request, and not part of
form's data. And so, I don't see why FormFu should have something like
you want. If you use Catalyst, you could look at
Catalyst::Action::REST.
Good luck!
--
Sincerely yours,
Oleg Kostyuk (CUB-UANIC)
___
> A single flag I can set in
Didn't Finish.
A single flag I could set in either the configuration or a mechanism
to create a custom constraint with access to the catalyst object ( $c
) would be very useful for generic security additions.
Another one I've been considering is referrer enforcement.
