Fix Authenticated Unrestricted File Write in letter.php

[realJema]

Fixes #1213

[robbyoconnor]

On first glance this looks good -- gonna test this.

[muarachmann]

Should do at a bear minimum, can you use csrf token stuffs to further validate the forms. Consider writing you own class or something of the sort. I think this will be used for every form henceforth. That way requests are ensured.

[robbyoconnor]

Should do at a bear minimum, can you use csrf token stuffs to further validate the forms. Consider writing you own class or something of the sort. I think this will be used for every form henceforth. That way requests are ensured.

@realJema -- we really need to do this. This is still vulnerable. You're trading one vulnerability for another here.

[robbyoconnor]

See comments.

[robbyoconnor]

This is the attack that you traded for: https://owasp.org/www-community/attacks/csrf

[realJema]

Should do at a bear minimum, can you use csrf token stuffs to further validate the forms. Consider writing you own class or something of the sort. I think this will be used for every form henceforth. That way requests are ensured.

@realJema -- we really need to do this. This is still vulnerable. You're trading one vulnerability for another here.

ok, let me update the fix.

[aethelwulffe]

Or, you could evaluate the feature, discuss if it actually has a place in the workflow, then dump the legacy code. HINT:  It doesn't.

…

On 3/31/2020 7:49 AM, Jema wrote: Should do at a bear minimum, can you use *csrf* token stuffs to further validate the forms. Consider writing you own class or something of the sort. I think this will be used for every form henceforth. That way requests are ensured. @realJema <https://github.com/realJema> -- we really need to do this. This is still vulnerable. You're trading one vulnerability for another here. ok, let me update the fix. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1571 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEHGF26ECY6UW3T7A3Y2QLRKHKFNANCNFSM4LNRZV6Q>.

[muarachmann]

Thanks Art for the input :) glad to see you around

On Tue, 31 Mar 2020 at 18:57 Art Eaton ***@***.***> wrote: Or, you could evaluate the feature, discuss if it actually has a place in the workflow, then dump the legacy code. HINT: It doesn't. On 3/31/2020 7:49 AM, Jema wrote: > > Should do at a bear minimum, can you use *csrf* token stuffs > to further validate the forms. Consider writing you own class > or something of the sort. I think this will be used for every > form henceforth. That way requests are ensured. > > @realJema <https://github.com/realJema> -- we really need to do > this. This is still vulnerable. You're trading one vulnerability > for another here. > > ok, let me update the fix. > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > < #1571 (comment)>, > or unsubscribe > < https://github.com/notifications/unsubscribe-auth/AAEHGF26ECY6UW3T7A3Y2QLRKHKFNANCNFSM4LNRZV6Q >. > — You are receiving this because your review was requested. Reply to this email directly, view it on GitHub <#1571 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AD4X4XWAX5PQ65VK7DOAC3LRKIVHBANCNFSM4LNRZV6Q> .

-- *MUA N. LAURENT*: Lead Software Engineer Akivas Inc. <https://akivas.com/> Akwa, Douala,CM 00237 | 174 Royal Rd, Cape Town, WC 7405, SA Phone: (237) 670-518-086

[robbyoconnor]

You need to address this