V1-5-beta-developers-notes

From Zen Cart(tm) Wiki
Jump to: navigation, search

Security in v1.5

Security has been an overriding focus in v1.5, however the changes we have made to address security concerns will have an effect on 3rd party contributions.

While this may cause some problems for people using some contributions, the changes needed to comply with our infrastructure updates are not onerous and we hope that contribution authors will quickly update their code to make them v1.5 compatible.


CSRF Protection

CSRF protection for forms was introduced some time ago, however that protection did not cover all POST forms in admin or catalog, and allowed for contribution authors to bypass the protection.

In v1.5 all forms that use the POST method MUST have CSRF protection, otherwise the form submit will fail and redirect the user to the home page (whether catalog or admin)

The simplest way of ensuring that forms have CSRF protection is to use the zen_draw_form function to create the opening form tag.

If for some reason you cannot use that function, and need to use a <form … > tag then you will need to add a hidden field manually for the security token i.e

<input type="hidden" name = "securityToken" value = "<?php echo $_SESSION['securityToken']; ?>" />

Note. CSRF = Cross Site Request Forgery and involves embedding a unique token in the form.


Destructive GET Actions

In earlier versions of Zen Cart, some actions in the Admin which changed entries in the Database could be done by clicking a button or link that used GET parameters only. This has been changed in 1.5 so that those actions happen via a form POST, and are therefore protected by a security token.

Contributions which rely on those original GET actions will need to be updated.


.

Personal tools