FAQ
I want to ensure the form is submitted with the HTTP Method of POST
(or potentially PUT or DELETE) but never GET.

I do not see an easy way of adding a Constraint for this type of
thing. method() sets the method when creating the form but does not
appear to enforce it to be correct for submitted_and_valid() to be
set.

A single flag I can set in

Thanks,

Rod

Search Discussions

  • Rod Taylor at Feb 20, 2010 at 9:42 pm
    A single flag I can set in
    Didn't Finish.

    A single flag I could set in either the configuration or a mechanism
    to create a custom constraint with access to the catalyst object ( $c
    ) would be very useful for generic security additions.

    Another one I've been considering is referrer enforcement.


    Someone smart can of course script around it but it would be more than
    enough to prevent someone from putting a malicious <img> tag some
    place like a forum; not that I have such a place at the moment but I
    probably will in the future.
  • Oleg Kostyuk at Feb 21, 2010 at 12:22 am
    Hello Rod,

    As for me, used HTTP method is part of HTTP request, and not part of
    form's data. And so, I don't see why FormFu should have something like
    you want. If you use Catalyst, you could look at
    Catalyst::Action::REST.

    Good luck!

    --
    Sincerely yours,
    Oleg Kostyuk (CUB-UANIC)
  • Moritz Onken at Feb 21, 2010 at 1:56 am
    The only way to prevent CSRF attacks is to use one-time tokens. Catalyst::Controller::HTML::FormFu supports that already. Have a look at http://search.cpan.org/~cfranks/Catalyst-Controller-HTML-FormFu-0.06001/lib/Catalyst/Controller/HTML/FormFu.pm#request_token_enable.

    Don't rely on the referrer! Some browsers and especially some browser plugins do not send the referrer for privacy reasons.

    cheers,

    moritz



    Am 21.02.2010 um 08:22 schrieb Oleg Kostyuk:
    Hello Rod,

    As for me, used HTTP method is part of HTTP request, and not part of
    form's data. And so, I don't see why FormFu should have something like
    you want. If you use Catalyst, you could look at
    Catalyst::Action::REST.

    Good luck!

    --
    Sincerely yours,
    Oleg Kostyuk (CUB-UANIC)

    _______________________________________________
    HTML-FormFu mailing list
    HTML-FormFu@lists.scsys.co.uk
    http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/html-formfu
  • Rod Taylor at Feb 22, 2010 at 4:55 pm
    Took a look and it seems to have a couple of fundamental issues.

    If you submit a form which fails on a constraint other than
    RequestToken, correct the input value, then submit again the second
    submission will fail for the RequestToken constraint.

    The Plugin seems to remove the token regardless of whether there are
    other errors in the form or not meaning users only get one chance to
    click submit. It should only remove the token from the session on a
    successful submission.




    Second issue is setting an error message. By default it sets the error
    message to 'form_constraint_requesttoken' which shows up at the bottom
    of the form under the submit button and I do not see an easy way to
    change it. I suppressed it with
    span.error_constraint_requesttoken {display: none;} and added a
    template toolkit wrapper to form.render which digs into
    form.get_error(name => '_token') to set a good error message at the
    top of the form.


    This does seem like the right path to be on but the plugin itself
    requires a bit of work to be usable.

    regards,

    Rod
    On Sat, Feb 20, 2010 at 20:56, Moritz Onken wrote:
    The only way to prevent CSRF attacks is to use one-time tokens. Catalyst::Controller::HTML::FormFu supports that already. Have a look at http://search.cpan.org/~cfranks/Catalyst-Controller-HTML-FormFu-0.06001/lib/Catalyst/Controller/HTML/FormFu.pm#request_token_enable.

    Don't rely on the referrer! Some browsers and especially some browser plugins do not send the referrer for privacy reasons.

    cheers,

    moritz



    Am 21.02.2010 um 08:22 schrieb Oleg Kostyuk:
    Hello Rod,

    As for me, used HTTP method is part of HTTP request, and not part of
    form's data. And so, I don't see why FormFu should have something like
    you want. If you use Catalyst, you could look at
    Catalyst::Action::REST.

    Good luck!

    --
    Sincerely yours,
    Oleg Kostyuk (CUB-UANIC)

    _______________________________________________
    HTML-FormFu mailing list
    HTML-FormFu@lists.scsys.co.uk
    http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/html-formfu

    _______________________________________________
    HTML-FormFu mailing list
    HTML-FormFu@lists.scsys.co.uk
    http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/html-formfu
  • Moritz Onken at Feb 23, 2010 at 6:32 am
    Hi Rod,

    Thanks for the bug reports. I'll have a look at it and try
    to smooth things out!

    I'll keep you posted.

    cheers,

    moritz

    On Mon, 22 Feb 2010 11:55:43 -0500, Rod Taylor wrote:
    Took a look and it seems to have a couple of fundamental issues...
  • Moritz Onken at Feb 23, 2010 at 10:34 am

    If you submit a form which fails on a constraint other than
    RequestToken, correct the input value, then submit again the second
    submission will fail for the RequestToken constraint.

    The Plugin seems to remove the token regardless of whether there are
    other errors in the form or not meaning users only get one chance to
    click submit. It should only remove the token from the session on a
    successful submission.
    Hi,

    I fixed this in the SVN repo. Could you please check it out and try it?

    http://html-formfu.googlecode.com/svn/trunk/Catalyst-Controller-HTML-FormFu/
    Second issue is setting an error message. By default it sets the error
    message to 'form_constraint_requesttoken' which shows up at the bottom
    of the form under the submit button and I do not see an easy way to
    change it. I suppressed it with
    span.error_constraint_requesttoken {display: none;} and added a
    template toolkit wrapper to form.render which digs into
    form.get_error(name => '_token') to set a good error message at the
    top of the form.
    This is kind of fixed. I changed the error message to something reasonable.
    If you want to change the error message, please add the RequestToken
    Element and the Constraint by yourself. See the RequestToken plugin
    for more details.

    If you have a better idea, please speak up!

    I hope this helps and you are still willing to use this feature :-)

    cheers,

    moritz
  • Rod Taylor at Feb 21, 2010 at 4:25 am
    Not FormFu itself but I thought the Catalyst FormFu controller might
    have something like this implemented; particularly since it is a full
    blown controller extension and not just a MooseRole.

    The token mentioned in another message looks like a much better mechanism.
    On Sat, Feb 20, 2010 at 19:22, Oleg Kostyuk wrote:
    Hello Rod,

    As for me, used HTTP method is part of HTTP request, and not part of
    form's data. And so, I don't see why FormFu should have something like
    you want. If you use Catalyst, you could look at
    Catalyst::Action::REST.

    Good luck!

    --
    Sincerely yours,
    Oleg Kostyuk (CUB-UANIC)

    _______________________________________________
    HTML-FormFu mailing list
    HTML-FormFu@lists.scsys.co.uk
    http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/html-formfu

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouphtml-formfu @
categoriesperl, catalyst
postedFeb 20, '10 at 9:39p
activeFeb 23, '10 at 10:34a
posts8
users3
websitemetacpan.org...

People

Translate

site design / logo © 2022 Grokbase