Anomalie #1720
fermé
CSRF check fails on system error
Ajouté par Guillaume AGNIERAY il y a plus d'un an.
Mis à jour il y a 13 jours.
Description
Message : Échec de la vérification CSRF !
Fichier : /var/www/galette/galette/includes/dependencies.php
Ligne : 459
#0 /var/www/galette/galette/vendor/slim/csrf/src/Guard.php(497): {closure}()
#1 /var/www/galette/galette/vendor/slim/csrf/src/Guard.php(458): Slim\Csrf\Guard->handleFailure()
#2 /var/www/galette/galette/vendor/slim/slim/Slim/MiddlewareDispatcher.php(121): Slim\Csrf\Guard->process()
#3 /var/www/galette/galette/lib/Galette/Middleware/Language.php(86): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#4 /var/www/galette/galette/vendor/slim/slim/Slim/MiddlewareDispatcher.php(168): Galette\Middleware\Language->_invoke()
#5 /var/www/galette/galette/lib/Galette/Middleware/Telemetry.php(86): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#6 /var/www/galette/galette/vendor/slim/slim/Slim/MiddlewareDispatcher.php(168): Galette\Middleware\Telemetry->_invoke()
#7 /var/www/galette/galette/includes/main.inc.php(212): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#8 /var/www/galette/galette/vendor/slim/slim/Slim/MiddlewareDispatcher.php(269): Closure->{closure}()
#9 /var/www/galette/galette/vendor/slim/slim/Slim/Middleware/RoutingMiddleware.php(45): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#10 /var/www/galette/galette/vendor/slim/slim/Slim/MiddlewareDispatcher.php(121): Slim\Middleware\RoutingMiddleware->process()
#11 /var/www/galette/galette/vendor/slim/slim/Slim/Middleware/ErrorMiddleware.php(76): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#12 /var/www/galette/galette/vendor/slim/slim/Slim/MiddlewareDispatcher.php(121): Slim\Middleware\ErrorMiddleware->process()
#13 /var/www/galette/galette/vendor/slim/twig-view/src/TwigMiddleware.php(115): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#14 /var/www/galette/galette/vendor/slim/slim/Slim/MiddlewareDispatcher.php(121): Slim\Views\TwigMiddleware->process()
#15 /var/www/galette/galette/vendor/slim/slim/Slim/MiddlewareDispatcher.php(65): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#16 /var/www/galette/galette/vendor/slim/slim/Slim/App.php(199): Slim\MiddlewareDispatcher->handle()
#17 /var/www/galette/galette/vendor/slim/slim/Slim/App.php(183): Slim\App->handle()
#18 /var/www/galette/galette/includes/main.inc.php(244): Slim\App->run()
#19 /var/www/galette/galette/webroot/index.php(57): require_once('...')
#20 {main}
- Catégorie changé de Files generation à Core
- Assigné à mis à Johan Cwiklinski
I confirm I can reproduce using drag& drop on your "crop branch" (d&d on demo does not work).
It strange because error on exceeded size is displayed with 3.9Mio file; and I get the CSRF error with a 7.4Mio one... I'll take a look.
- Priorité changé de Normal à Bas
I absolutely do not understand what is happening here... Event this is a PHP or a Slim framework behavior; but with very large images, nothing is sent back with ajax request when it's sent to CSRF check middleware: request body is entirely empty.
I was about to send a message on Slim support; but it's quite hard to explain, and they'll ask for a reproducible case. Also, I'm not 100% sure this is a Slim, a CSRF guard or a Galette issue...
The UI display a message indicating image upload has failed; it's probably enough most of the time, and wa also can adapt the message with something like "maybe your image is too heavy".
Anyway, I've changed priority, we can see that later.
- Sujet changé de CSRF check fails when uploading big files à CSRF check fails on system error
In facts, a warning is displayed in PHP system logs, because the post_max_size limit has been reached. I've not been able to catch it Galette side:
PHP Warning: PHP Request Startup: POST Content-Length of 10349468 bytes exceeds the limit of 8388608 bytes in Unknown on line 0
It seems like the same issue appears when the max_input_vars limit is reached; we only see a CSRF issue; because in those case the POST request is empty (and therefore does not contains the valid CSRF).
It also seems this appears on ajax requests; not on regular ones (I'm not sure for max_input_vars but I am for post_max_size
- Statut changé de Nouveau à Commentaire
I just took another look at this, and the problem is it's not possible to handle the drag and drop error sent that way. A PHP error is thrown in pre-script; there is no way to handle it correctly.
I've tried to disable CSRF check when the case occurs (when POST is entirely empty), it ends with a "required missing argument" from the ajax photo route. While it's maybe better than a CSRF check issue, that's still not understandable.
The real issue is only shown in PHP system logs; which are not available for every Galette users. Solution would be to chek file size from JS, but It seems another time a lot of job for almost nothing.
I do not know if there is an alternative JS solution that would rely on the "standard" PHP upload that works well - or if we should just remove the image drag and drop (this is not the feature of the year, I consider I've already lost a lot of time on this).
Johan Cwiklinski a écrit (#note-4):
[...] I do not know if there is an alternative JS solution that would rely on the "standard" PHP upload that works well - or if we should just remove the image drag and drop (this is not the feature of the year, I consider I've already lost a lot of time on this).
Johan Cwiklinski a écrit (#note-5):
[...] I have absolutely no experience with any of those libs, no idea if they're reliable, maintained or else. Also, this is maybe huge for just replacing existing members photo from D&D.
I agree with dropping the drag and drop :D
The simpler, the better !
PR 577
- Statut changé de Commentaire à Résolu
- % réalisé changé de 0 à 100
- Statut changé de Résolu à Commentaire
There is another case where this CSRF error occures : after a logout and the login page remains in an opened tab without closing the browser, and then logging in back a while after (at least 40 minutes).
The user is well logged, but the error is displayed on screen right away.
Might it be related with a token expiry ?
- Statut changé de Commentaire à Fermé
Guillaume AGNIERAY a écrit (#note-8):
There is another case where this CSRF error occures : after a logout and the login page remains in an opened tab without closing the browser, and then logging in back a while after (at least 40 minutes).
The user is well logged, but the error is displayed on screen right away.
Might it be related with a token expiry ?
CSRF token does expires, yes. In that case, an old token is sent, so there is indeed a CSRF check issue (this will happen on every form page you'll keep open for a while before sending it).
This is not the same as original issue for which CSRF expiration was not the real issue, so I'm closing. You can open another ticket if you want - but I do not really see how this could be fixed :/
For original issue, I had in mind the following change https://github.com/galette/galette/pull/530 would help having real error messages instead of fallback to CSRF issue.
- Version cible mis à 1.2.0
Formats disponibles : Atom
PDF
Mis à jour par 
Mis à jour par