projects / GitHub / WoltLab / WCF.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 82ee331) | patch
Check the XSRF-TOKEN cookie against the active request during 5.4 upgrade
authorTim Düsterhus <duesterhus@woltlab.com>
Mon, 8 Mar 2021 10:02:22 +0000 (11:02 +0100)
committerTim Düsterhus <duesterhus@woltlab.com>
Mon, 8 Mar 2021 10:02:56 +0000 (11:02 +0100)
commitfc5454d876a8461d32d16f65897539e06d5ee567
tree6cf2706346e4412f73a425e45bbc11acdf9bad85tree | snapshot (tar.gz zip)
parent82ee331b951e22580ac460638bf5ee981e839bd1commit | diff
Check the XSRF-TOKEN cookie against the active request during 5.4 upgrade

It should not be possible to hit the issue in the real world, but we better
play safe here.

In my tests I could only reproduce the issue by:

1. Taking a snapshot while logged into the ACP.
2. Starting the upgrade until the new cookies have been set.
3. Aborting the upgrade.
4. Rolling back the snapshot.
5. Trying again.

In this case the XSRF-TOKEN cookie is correctly signed and the session cookie
matches the actual session ID. However the sessionVariables are outdated due to
the rollback. The process will continue with the old SECURITY_TOKEN, failing
after the new files from 5.4 are deployed.

This issue is fixed by also checking the cookie against the current request and
the active session to ensure all the values are correctly in place.

Resolves #4052
wcfsetup/install/files/acp/update_com.woltlab.wcf_5.4_session_1_cookies.php diff | blob | blame | history
WoltLab Suite Core (previously WoltLab Community Framework)