Fatal error due to CRSF security

Description

CRSF stuff didn't take care of all the case (especialy if Fd is used trough 2 reverse proxy)

Distribution Name and Version

fusiondirectory: Installé : 1.3-2jenkinsbuild64 Candidat : 1.3-2jenkinsbuild64 from deb package

FusionDirectory Version

1.3.2

PHP version used

php: Installé : 1:7.0+49 Candidat : 1:7.0+49

Origin of php packages

deb https://integration.fusiondirectory.org/repos/development/debian/fusiondirectory-dev-stretch stretch main

Steps to Reproduce

1. Fd is instaleld beahind 2 proxies ( each off them keep the virtualhost name when request is proxied)
2. When try to edit a record an error occur : Fatal error: Uncaught FusionDirectoryException: CSRF detected: origin and target are not matching (my.server.com!= my.server.com, my.server.com) )

Expected behavior: values could be edited without fatal error

Actual behavior:

Fatal error

Reproduces how often: 100%

Additional Information

some links :

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
• https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers
• https://stackoverflow.com/questions/17411391/whats-the-variable-http-x-forwarded-host-in-the-env-hash-in-middleware

maybe get the first value ?

assigned to @MCMic

By Côme Chilliet on 2018-12-05T16:13:19 (imported from GitLab)

changed title from Fatal error due to RSF to Fatal error due to CRSF security

By agallavardin on 2018-12-05T16:16:05 (imported from GitLab)

changed the description

By agallavardin on 2018-12-05T16:16:05 (imported from GitLab)

following dirty patch is working

58      if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
59        $targetArray = explode(",",$_SERVER['HTTP_X_FORWARDED_HOST']);
60        $target = $targetArray[0];
61        //$target = $_SERVER['HTTP_X_FORWARDED_HOST'];
62      } else

By agallavardin on 2018-12-05T16:21:00 (imported from GitLab)

changed milestone to %FusionDirectory 1.4

By Côme Chilliet on 2018-12-05T16:24:57 (imported from GitLab)

created branch 5935-fatal-error-due-to-crsf-security

By Côme Chilliet on 2018-12-05T16:25:01 (imported from GitLab)

mentioned in merge request !475

By Côme Chilliet on 2018-12-05T16:25:03 (imported from GitLab)

mentioned in commit 597d64c9

By Côme Chilliet on 2018-12-05T16:28:31 (imported from GitLab)

If the fix works it should be merged in %FusionDirectory 1.3 as well.

By Côme Chilliet on 2018-12-05T16:29:36 (imported from GitLab)

added 30m of time spent at 2018-12-05

By Côme Chilliet on 2018-12-05T16:29:37 (imported from GitLab)

added To Be Tested label

By Côme Chilliet on 2018-12-05T16:29:37 (imported from GitLab)

OK it's working now ( I applied manually this patch)

By agallavardin on 2018-12-11T11:36:27 (imported from GitLab)

closed

By agallavardin on 2018-12-11T11:36:28 (imported from GitLab)

mentioned in merge request !478

By Côme Chilliet on 2018-12-18T13:55:42 (imported from GitLab)

changed milestone to %FusionDirectory 1.3

By Côme Chilliet on 2018-12-18T13:56:19 (imported from GitLab)

removed To Be Tested label

By bmortier on 2019-01-22T15:15:30 (imported from GitLab)

added Changed PJ1802-0188 labels

By bmortier on 2019-01-22T15:15:58 (imported from GitLab)

added PJ1804-0204 and removed PJ1802-0188 labels

By bmortier on 2019-01-22T15:16:09 (imported from GitLab)