Describe the problem you’re having:
I would like to know if it’s reasonable and safe to change how the plugin handler gets the csrf_token to pull it out of REQUEST instead of POST.
classes/pluginhandler.php:10
I’m trying to clean up an outdated plugin that can do referrer spoofing for images.
It works by replacing each image with a link to the plugin handler, and it makes the request with the referrer that makes it work and sends the data back.
No way to make it post a CSRF token from an image source.
I could just use a csrf_ignore function to bypass the CSRF check for the plugin, but I really don’t like the idea of allowing unauthenticated people to make unauthenticated GET requests to a plugin that will turn around and make it’s own requests.
…
Include steps to reproduce the problem:
Write a plugin that can spoof referrer for images?
…
tt-rss version (including git commit id): v21.09-b88a80592, based off commit ed927dbd2b54aaabe6be75f9fcf4145e2c3249a
The only difference is that I have a commit for my symlink from plugins/af_comics/filters.local to something in my plugins.local git repo.
…
Platform (i.e. Linux distro, PHP, PostgreSQL, etc) versions:
Debian buster(oops), php 7.3.29-1~deb10u1
fox
2
passing csrf token via URL is a rather bad idea. also, don’t forget about api clients, which may not use csrf (i.e. android client webview is isolated from the app anyway).
you might want to check how api_resize plugin does this.
