[dev] CSRF tokens in Horde/IMP
Chuck Hagenbuch
chuck at horde.org
Mon Feb 18 23:16:19 UTC 2008
I've added CSRF tokens to some of the highest profile actions in
Horde/IMP (logouts from Horde, and mailbox view, message view, and
folder view actions in IMP). Especially given where we are in the
release cycle of Horde 3.2 I would very, very much appreciate some
feedback on these now, to avoid trouble that could mean pulling them
or pulling the releases:
http://lists.horde.org/archives/cvs/Week-of-Mon-20080218/075044.html
http://lists.horde.org/archives/cvs/Week-of-Mon-20080218/075045.html
I am reluctant to go adding tokens to every line of every application;
I'd rather spend our development time on new features, either user
facing or developer facing (like being able to use Horde_Routes to
add/check CSRF tokens automatically). But concerns were raised about
these bits of functionality (and I can see auto-logout as sort of a
denial of service attack), so I felt it was worth addressing if it
didn't mean ripping things completely apart. The above patches are my
compromise in that direction.
Thanks,
-chuck
More information about the dev
mailing list