-
Notifications
You must be signed in to change notification settings - Fork 35
CSRF Protection
See CRSF definition on Wikipedia.
The security token must be present on all forms, regardless of location (front/, inc/, etc). The next snippet should be used instead of HTML form closing tag : "</form>"
Html::closeForm();CRSF protection is applicable only for POST methods, so:
- No action form (update, deletion, add, etc) with method="get". Display or navigation forms are not affected
- No modification event can be triggered by a link
You can quickly replace links with this minimal form function:
showMinimalForm(URL, button name, button label, array( key => value ), button option (Ex : Confirmation))
Ex:
echo "<a href='front/foo.php?delete=1&id=15'>Delete</a>";Become
Html::showSimpleForm("front/foo.php", "delete", "Delete", array('id'=>15));Usage of new methods (closeForm, showMinimalForm, ...) requires GLPI >= 0.83.3
When all you form of your plugin are fixed, declare the "csrf_compliant" hook.
$PLUGIN_HOOKS['csrf_compliant']['appliances'] = true;IMPORTANT: It's essential to add this hook in you plugin setup even if the plugin has no form. If not, the plugin is considered incompatible..
En 0.83.3: when only one plugin is not compliant, the full protection of all GLPI (core and plugins) is disabled.
En 0.84 : en discussion