Provided by: libcgi-application-plugin-protectcsrf-perl_1.01-3_all bug

NAME

       CGI::Application::Plugin::ProtectCSRF - generate and verify anti-CSRF tickets

VERSION

       1.01

SYNPSIS

         use Your::App;
         use base qw(CGI::Application);
         use CGI::Application::Plugin::Session; # mandatory !!
         use CGI::Application::Plugin::ProtectCSRF;

         sub input_form : PublishCSRFID {
           my $self = shift;
           do_something();
         }

         sub finish : ProtectCSRF {
           my $self = shift;
           $self->clear_csrf_id;
           do_something();
         }

DESCRIPTION

       CGI::Application::Plugin::ProtectCSRF provides tools to protect forms in CGI::Application
       web applications from CSRF attacks. Run mode handlers may be declared with the
       "PublishCSFRID" or "ProtectCSFR" attributes.  The former should usually be applied to a
       run mode, whose HTML includes a "form" tag. In this case a ticket is generated and stored
       in the session during a prerun callback and a "hidden" control field, publishing the
       ticket, is added to the form during a postrun callback. Conversely the "ProtectCSRF"
       attribute should normally be applied to the corresponding run modes that process data from
       a submitted form. A prerun callback checks for the hidden field and checks that it matches
       the ticket saved in the session. If the check fails the page is redirected to a
       customizable error page. On success the form processing run mode should use the
       "clear_csrf_id" method, so that subsequent calls to forms from that session will generate
       fresh tickets.

ACTION

   PublishCSRFID
       Run modes declared with the "PublishCSRFID" attribute, take the following actions:

       - generate CSRF ticket and store it in the session;
       - generate the form as per the module code;
       - add a hidden element to the form publishing the CSRF ticket.

         # publish CSRF ticket
         sub input_form : PublishCSRFID {
           my $self = shift;
           return <<HTML;
         <form action="foo" method="post">
         <input type="text" name="name">
         <input type="submit" value="submit!">
         <input type="hidden" name="rm" value="finish">
         </form>
         HTML
         }

         # display html source
         <form action="foo" method="post">
         <input type="hidden" name="_csrf_id" value="random string" /> <- insert hidden field
         <input type="text" name="name">
         <input type="submit" value="submit!">
         <input type="hidden" name="rm" value="finish">
         </form>

   ProtectCSRF
       Run modes declared with the "ProtectCSRF" attribute, take the following actions:

       - verify that the submitted CSRF ticket matches the ticket saved in the session. If there
       is any sort of issue with the ticket the page is redirected to a customizable error page;
       - the form is processed as per the module code;
       - the form should call the "clear_csfr_id" method so that subsequent forms generate fresh
       tickets. The code does not do this because if the form validation fails it might be best
       to retain the same ticket.

         sub finish : ProtectCSRF {
           my $self = shift;

           # required! Unless forms and their processing are tightly
           # coupled by clearing the ticket between invocations,
           # the meaning of the ticket is lost.
           $self->clear_csrf_id;

           # The processing that you want to perform (DB processing etc)
           do_something();
         }

METHOD

   csrf_id
       This method returns the CSRF ticket saved in the session.

       Example:

         sub input_form : PublishCSRFID {
           my $self = shift;

           my $csrf_id = $self->csrf_id;
           do_something();
         }

   protect_csrf_config
       This method initializes the ProtectCSRF state using any configuration options that were
       passed to it. The available options are:

       csrf_error_status - The HTTP status code that would be set on the CSRF error page if a
       CSRF attack is identified. It defaults to 200.
       csrf_error_mode - The CGI::Application runmode name. This defaults to "_csrf_error".
       csrf_error_tmpl - The HTML displayed in the event of a CSRF attack being detected in the
       form of a scalarref or filepath or filehandle. One may consider HTML::Template for
       inspiration on thse formats. The default is $CSRF_ERROR_TMPL which is a scalarref.
       csrf_error_tmpl_param - A hashref of parameters to be placed in the above template. See
       HTML::Template.
       csrf_id - The name of the session parameter used to store the CSRF ticket.This defaults to
       "_csrf_id".
       csrf_post_only - If set non-POST requests to a run mode which is protected by this module
       would be rejected. By default this is 0.

       Example:

         sub cgiapp_init {
           my $self = shift;
           $self->tmpl_path("/path/to/template");
           $self->protect_csrf_config(
                                  csrf_error_status     => 403, # change forbidden
                                  csrf_error_tmpl       => "csrf_error.tmpl",
                                  csrf_error_tmpl_param => { TITLE => "CSRF ERROR", MESSAGE => "your access is csrf!"},
                                  csrf_id               => "ticket_id",
                                  csrf_post_only        => 1
                                );
         }

         # csrf_error.tmpl
         <html><head><title><TMPL_VAR NAME=TITLE ESCAPE=HTML></title></head>
         <body>
         <h1>CSRF Error</h1>
         <span style="color: red"><TMPL_VAR NAME=MESSAGE ESCAPE=HTML></span>
         </body>
         </html>

   clear_csrf_id
       This method clears the CSFR ticket. This should be done during the processing of a form
       request.

       Example :

         sub cgiapp_init {
           my $self = shift;
           $self->protect_csrf_config;
         }

         sub input {
           my $self = shift;
           do_something(). # input form display..
         }

         sub confirm : PublishCSRFID {
           my $self = shift;
           do_something(). # publish csrf_id and input check and confirm display..
         }

         sub complete : ProtectCSRF {
           my $self = shift;
           $self->clear_csrf_id(1); # clear csrf_id for CSRF protect
           do_something();          # DB insert etc..
         }

CALLBACK

   _publish_csrf_id
       prerun callback

   _csrf_forbidden
       prerun callback

   _add_csrf_id
       postrun callback

CAUTION

       This module should not be seen as a panacea for all web security issues.  The user should
       fully understand and act on all security threats his application may face, including
       whether this module is an adequate and useful tool.

SEE ALSO

       Attribute::Handlers, Carp, CGI::Application, CGI::Application::Plugin::Session,
       Digest::SHA, Exporter, HTML::TokeParser, HTML::Template

AUTHOR

       Akira Horimoto <kurt0027@gmail.com>

COPYRIGHT

       Copyright (C) 2006 - 2008 Akira Horimoto

       This module is free software; you can redistribute it and/or modify it under the same
       terms as Perl itself.