Handle the CSRF vulnerability

[herrvigg]

Issue by ianchanning
Wednesday Aug 26, 2015 at 03:34 GMT
Originally opened as qTranslate-Team/qtranslate-x#230

---

The WordPress vulnerability seems valid. I have added in a nonce to prevent CSRF attacks. I've currently only tested on my local Windows machine in Firefox.

1. I've tested using the attack suggested by WordPress of POSTing a form with buried Javascript - this would work on the v3.4.4 plugin as it would run the Javascript
2. Now the plugin will give the standard 'Are you sure you want to do this?' if the form is POSTed without the nonce
3. I've tested that changing the default language and re-submitting still works correctly
4. I've tested that the Edit Language form still works (this doesn't have a nonce on it as POSTed values aren't inserted)
5. I've tested that the Add Language form will generate errors correctly
6. I've tested that a Language can be successfully added
7. I made a tweak to the submit button classes for the Add / Edit language forms to put the current WordPress submit button styles on them
8. I've updated the version numbers to 3.4.5 and created a tag

---

ianchanning included the following code: https://github.com/qTranslate-Team/qtranslate-x/pull/230/commits

[herrvigg]

Comment by ianchanning
Wednesday Aug 26, 2015 at 09:09 GMT

---

I've now also included the bug fix to remove the deprecated warning in #226

[herrvigg]

Comment by ianchanning
Wednesday Aug 26, 2015 at 09:19 GMT

---

This is to fix #222

[herrvigg]

Comment by johnclause
Tuesday Sep 01, 2015 at 23:04 GMT

---

Thank you, @ianchanning , I have already checked in the fix for security problem, it is being reviewed right now hopefully, but all your changes are very helpful as well.