Blesta.csrf_Bypass For Domain Search Only

[L3Y]

Hi,

 

I know i can globally disable the CSRF, and i also know i can disable the CSRF only for the client login, like this : 

 

Configure::set("Blesta.csrf_bypass", array('client_login::index'));

 

...but what is the correct array to only disable the CSRF for the domain search form?

 

I tried a couple, for example the one suggested here

 

Configure::set("Blesta.csrf_bypass", array('domain_form::index'));

 

...but nothing is working.

 

Someone can help and provide this info?

 

Thank you,

 

Carl

 

 

[L3Y]

Ok.

 

I finally understood i needed the whole thing : 

 

Configure::set("Blesta.csrf_bypass", array('client_login::index','domain_form::index'));

 

Someone can explain why i need to disable the csrf on the client login in order to let the domain form work?

 

Why does Configure::set("Blesta.csrf_bypass", array('domain_form::index'));  is not working for me?

 

Thank you

 

Carl
 

[L3Y]

The reason why it worked was because i copied / pasted by mistake the csrf token from the real form

 

No comments lol   i was probably tired 

 

It still doesn't work.

 

I even tried to add 

Configure::set("Blesta.verify_csrf_token", false);

to the file plugins/order/config/order.php but it still doesn't work.

 

What the correct controler to add? 

[Tyson]

I'm not sure exactly what you're trying to accomplish. Only the blesta config file should contain the csrf token setting.

 

It sounds like you want to remove it for the order plugin, which might be "config::preconfig".

[Michael]

I'm not sure exactly what you're trying to accomplish. Only the blesta config file should contain the csrf token setting.

 

It sounds like you want to remove it for the order plugin, which might be "config::preconfig".

 

He's trying to disable it for the domain order form checker

[L3Y]

Hi,

 

I finally decided to forget about disabling the csrf for the domain form.    I want to sleep at night - didn't like this idea, and i preferred to do not build a plugin only for the purpose of retrieving the csrf  

 

Instead, i just have to parse the html of the form remotely using curl into a variable, work a little on the DOM, and output the form.

 

It works, and i did not had to disable any security.  The CSRF token is always valid, unless the user wait until it expire before searching.  In such case, i can redirect the request somewhere else  

 

 

...to answer Tyson : 

 

I'm not sure exactly what you're trying to accomplish. Only the blesta config file should contain the csrf token setting.

 

It sounds like you want to remove it for the order plugin, which might be "config::preconfig".

 

I saw a couple of conditionals like this one, so i thought i can override this setting?

 

in plugins/order/controllers/checkout.php i saw :

 public function preAction() {
                if ($this->action == "complete") {
                        // Disable CSRF for this request
                        Configure::set("Blesta.verify_csrf_token", false);
                }
                parent::preAction();


                $this->components(array("Input"));
        }

Cheers 

[quicklyweb]

Will you be able to post details of what you have done?

[L3Y]

Will you be able to post details of what you have done?

 

 

Hi,

 

I ended up by doing this on our production website : 

<a href="https://blestadomain.com/order/config/preconfig/n-domaines">
<div class="well"><form action="#" id="form"><div class="form-group">
<input type="text" name="domain" value="" placeholder="yourdomain.com" class="form-control input-md">
</div>
</div>
<div class="search">
<div class="btn-group">
<button class="btn btn-default" type="submit" name="lookup" value="1">
<i class="fa fa-search"></i> Register</button>
<button class="btn btn-default" type="submit" name="transfer" value="1">
<i class="fa fa-sign-in"></i> Transfer</button>
</div>
</form>
</div>
</a>

Using the <a> tag, with no action in the form, if a user click on the form, then he get redirected to the order form.

 

...no need to disable csrf, no need for a csrf bypass method, and no risk of loosing sales

 

 

 

Trying using curl was too much of an exploit attempt against our own services, so i re-enabled the csrf.

 

Much better like this.