Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid CSRF token provided : Import source modifiers form #2935

Closed
yoogie27 opened this issue Nov 20, 2024 · 5 comments · Fixed by #2937
Closed

Invalid CSRF token provided : Import source modifiers form #2935

yoogie27 opened this issue Nov 20, 2024 · 5 comments · Fixed by #2937
Assignees
@nilmerg
Labels
bug
Milestone
v1.11.3

Comments

@yoogie27
Copy link

Current Behavior

Within Director, I am editing an import source. I want to add a modifier. After adding some text to "Property" and "Target property" fields, I am receiving an error.
Invalid CSRF token provided (CsrfCounterMeasure.php:30)

Possible Solution

We are on the latest version, 1.11.2. Mabe #2893 has something to do with this.

Steps to Reproduce (for bugs)

Install Director 1.11.2. Add an import source. Click on "modifiers" tab. Click "+Add", enter a property, click on target property and see the error.

Your Environment

  • Director version (System - About): 1.11.2
  • Icinga 2 version 2.12.2
  • Operating System and version: Ubuntu noble
  • Webserver, PHP versions: Apach2, PHP8.3
  • Icinga Web 2 version and modules (System - About):
Loaded Libraries
icinga/icinga-php-thirdparty	0.12.1
icinga/icinga-php-library	0.14.1

Loaded Modules
setup			2.12.2
audit			1.0.2	
businessprocess		2.5.1
icingadb		1.1.3
cube			1.3.3
director		1.11.2
doc			2.12.2
incubator		0.22.0
migrate			2.12.2
monitoring		2.12.2
pdfexport		0.11.0
reporting		1.0.2
vspheredb		master
x509			1.3.2

Stacktrace

#0 [internal function]: Icinga\Module\Director\Web\Form\PropertyTableSortForm->ipl\Web\Common\{closure}()
#1 /usr/share/icinga-php/ipl/vendor/ipl/validator/src/CallbackValidator.php(43): call_user_func()
#2 /usr/share/icinga-php/ipl/vendor/ipl/validator/src/ValidatorChain.php(269): ipl\Validator\CallbackValidator->isValid()
#3 /usr/share/icinga-php/ipl/vendor/ipl/html/src/FormElement/BaseFormElement.php(273): ipl\Validator\ValidatorChain->isValid()
#4 /usr/share/icinga-php/ipl/vendor/ipl/html/src/Form.php(322): ipl\Html\FormElement\BaseFormElement->validate()
#5 /usr/share/icinga-php/ipl/vendor/ipl/html/src/Form.php(303): ipl\Html\Form->validate()
#6 /usr/share/icinga-php/ipl/vendor/ipl/html/src/Form.php(235): ipl\Html\Form->isValid()
#7 /usr/share/icingaweb2/modules/director/library/Director/Web/Table/PropertymodifierTable.php(67): ipl\Html\Form->handleRequest()
#8 /usr/share/icinga-php/ipl/vendor/ipl/html/src/HtmlDocument.php(390): Icinga\Module\Director\Web\Table\PropertymodifierTable->render()
#9 /usr/share/icinga-php/ipl/vendor/ipl/html/src/BaseHtmlElement.php(297): ipl\Html\HtmlDocument->renderUnwrapped()
#10 /usr/share/icinga-php/ipl/vendor/ipl/html/src/BaseHtmlElement.php(365): ipl\Html\BaseHtmlElement->renderContent()
#11 /usr/share/icinga-php/ipl/vendor/ipl/html/src/HtmlDocument.php(568): ipl\Html\BaseHtmlElement->renderUnwrapped()
#12 /usr/share/icinga-php/ipl/vendor/ipl/html/src/HtmlDocument.php(420): ipl\Html\HtmlDocument->render()
#13 /usr/share/icingaweb2/modules/incubator/vendor/gipfl/icingaweb2/src/Zf1/SimpleViewRenderer.php(65): ipl\Html\HtmlDocument->__toString()
#14 /usr/share/icingaweb2/modules/incubator/vendor/gipfl/icingaweb2/src/Zf1/SimpleViewRenderer.php(104): gipfl\IcingaWeb2\Zf1\SimpleViewRenderer->render()
#15 /usr/share/icinga-php/vendor/vendor/shardj/zf1-future/library/Zend/Controller/Action/HelperBroker.php(277): gipfl\IcingaWeb2\Zf1\SimpleViewRenderer->postDispatch()
#16 /usr/share/icinga-php/vendor/vendor/shardj/zf1-future/library/Zend/Controller/Action.php(527): Zend_Controller_Action_HelperBroker->notifyPostDispatch()
#17 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(76): Zend_Controller_Action->dispatch()
#18 /usr/share/icinga-php/vendor/vendor/shardj/zf1-future/library/Zend/Controller/Front.php(954): Icinga\Web\Controller\Dispatcher->dispatch()
#19 /usr/share/php/Icinga/Application/Web.php(294): Zend_Controller_Front->dispatch()
#20 /usr/share/php/Icinga/Application/webrouter.php(105): Icinga\Application\Web->dispatch()
#21 /usr/share/icingaweb2/public/index.php(4): require_once('...')
#22 {main}
@zmijunkie
Copy link

Same here - I just have put an "return true;" into CsrfCounterMeasure.php and restarted apache ... of course I cannot recommend this workaround

@Wintermute2k6
Copy link

ref/NC/838215

@nilmerg
Copy link
Member

nilmerg commented Dec 2, 2024

Same here - I just have put an "return true;" into CsrfCounterMeasure.php and restarted apache ... of course I cannot recommend this workaround

Yeah, unless you want to deliberately open GHSA-3mwp-5p5v-j6q3 again

nilmerg added a commit that referenced this issue Dec 2, 2024
@nilmerg
PropertyTableSortForm: Don't use ipl`s CSRF counter measure
759af7c 
It's incompatible with gipfl`s…

fixes #2935
@nilmerg nilmerg mentioned this issue Dec 2, 2024
Merged
@nilmerg nilmerg self-assigned this Dec 2, 2024
@nilmerg nilmerg added the bug label Dec 2, 2024
@nilmerg nilmerg added this to the v1.11.3 milestone Dec 2, 2024
@nilmerg
Copy link
Member

nilmerg commented Dec 2, 2024

Same here - I just have put an "return true;" into CsrfCounterMeasure.php and restarted apache ... of course I cannot recommend this workaround

Yeah, unless you want to deliberately open GHSA-3mwp-5p5v-j6q3 again

Oh and, since this is a widely used library part, disable CSRF token verification for all recent Icinga Web products. This is really one of the worst workarounds I've encountered.

Instead, please use my solution I just referenced.

nilmerg added a commit that referenced this issue Dec 3, 2024
@nilmerg
PropertyTableSortForm: Don't use ipl`s CSRF counter measure
50b2b2f 
It's incompatible with gipfl`s…

fixes #2935
@carraroj
Copy link

carraroj commented Dec 6, 2024

ref/NC/838868

lippserd added a commit that referenced this issue Dec 12, 2024
@lippserd
PropertyTableSortForm: Don't use ipl`s CSRF counter measure (#2937)
89ebf71 
It's incompatible with gipfl`s…

fixes #2935
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nilmerg nilmerg

Labels
bug
Projects
None yet
Milestone
v1.11.3
Development

Successfully merging a pull request may close this issue.

PropertyTableSortForm: Don't use ipl`s CSRF counter measure Icinga/icingaweb2-module-director
5 participants
@zmijunkie @yoogie27 @Wintermute2k6 @nilmerg @carraroj