CSRF shouldn't throw PHP errors when it receives non-string input

[Saeven]

The CSRF is a bit naive, assuming that it is receiving a string, and not an array. Most penetration tests start with malformed input, and arrays cause this validator to throw an Array to string conversion error.

Reproducing the problem is simple. Craft a form that includes a CSRF Filter, and modify your post to send CSRF as an array. e.g.,

POST /login HTTP/1.1 Content-Length: 142 Content-Type: application/x-www-form-urlencoded Referer: http://foo.com Cookie: PHPSESSID=s3r0icn96iqstvsrpkae3n2sta; lastRoute=register; locale=en_US; lastPageVisited=http://foo.com/login; __cfduid=d815a2363ab50c616e80627e0ca5834a81516720789 Host: foo.com
Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept: */* axis=1&csrf[]=576ae4642376a2904866a504f395c75ab04205df5b1df8e0bbd999f6e6746c73&email=sample%40email.tst&password=g00dPa%24%24w0rD&remember=on

The CSRF filter should report a validation failure when an array is pushed in, and not crap out.

[Ocramius]

Test case still required Marco Pivetta http://twitter.com/Ocramius http://ocramius.github.com/

…

On Tue, Jan 23, 2018 at 5:44 PM, Alexandre Lemaire ***@***.*** > wrote: The CSRF is a bit naive, assuming that it is receiving a string, and not an array. Most penetration tests start with malformed input, and arrays cause this validator to throw an Array to string conversion error. Reproducing the problem is simple. Craft a form that includes a CSRF Filter, and modify your post to send CSRF as an array. e.g., POST /login HTTP/1.1 Content-Length: 142 Content-Type: application/x-www-form-urlencoded Referer: http://foo.com Cookie: PHPSESSID=s3r0icn96iqstvsrpkae3n2sta; lastRoute=register; locale=en_US; lastPageVisited=http://foo.com/login; __cfduid=d815a2363ab50c616e80627e0ca5834a81516720789 Host: foo.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept: */* axis=1&csrf[]=576ae4642376a2904866a504f395c75ab04205df5b1df8e0bbd999f6e6746c73&email=sample%40email.tst&password=g00dPa%24%24w0rD&remember=on The CSRF filter should report a validation failure when an array is pushed in, and not crap out. ------------------------------ You can view, comment on, or merge this pull request online at: #212 Commit Summary - Update Csrf.php File Changes - *M* src/Csrf.php <https://github.com/zendframework/zend-validator/pull/212/files#diff-0> (6) Patch Links: - https://github.com/zendframework/zend-validator/pull/212.patch - https://github.com/zendframework/zend-validator/pull/212.diff — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#212>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAJakKhcwPObFm1cITQK_2emchmpFaaxks5tNgyDgaJpZM4Rp9HR> .

[Saeven]

Yep sorry, forgot to check it in. Done.

[Saeven]

Hm, some tests in this branch (untouched) were failing already. Need fixing? Timezone tests.

[weierophinney]

Thanks, @Saeven!