Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CheckFormId not working
#11
Please reread Alexandre's message:

"Inside OnCheckFormId event, if Allow is False, it means that the received ID is not correct. You can still change it to True and alllow it execute if you want it to. I recommend you to log it, though and block. That's what most users do."

IW will check for you and set the value. It is a var parameter and this event allows you to change it if you like to override one way or the other. So if you "if we set allow = false even when the form ID values are the same", of course its going to throw an error. Its doing exactly what you are telling it to do.
Reply
#12
You don't need to set it. I just showed how you could FORCE it to raise an error so you could confirm that it was working.

When that event executes, Allow will be TRUE, by default, if the IDs match. Allow will be FALSE if they don't match.

Even if Allow is FALSE you can still override it setting it to TRUE instead. Otherwise, you don't need to change the value.

Please do this: Just create an empty event (add a comment to it) and try it out. It will work just as you expect.
Reply
#13
Ok I understand how it should work now.  Thank you.  That being said I think I finally figured out how we failed our penetration test for a CSRF attack.  It appears that the IWAppFormCheckFormId event only fires on the 2nd "post" attempt not the 1st.  I proved it using an IntraWeb IV demo. Open the "Features" demo project for IntraWeb IV from the GitHub website.  In ServerController set the CheckFormId value to True.  On the Combobox form add the OnCheckFormId event and put some code in there so you can set a breakpoint inside the event.  I ran the project in debug mode, selected Base features from the menu and then Miscelleaneous which displays the Combobox form.  Change the value in the combo box from "No Selection" to some value.  The cmboNumbersChange event fires, however the IWAppFormCheckFormId event does not !  If you immediately change the combo box value again to a different value the IWAppFormCheckFormId will finally fire.  Why didn't it fire the first time I changed the combo value?  This is why our testers were able to successfully submit a post with an invalid form Id.  Shouldn't the IWAppFormCheckFormId fire on the first "post" ?  Please explain.
Reply
#14
It works as expected in all versions 15.0.x.

There was a bug in that area in 14 branch which have been fixed later. I recommend you to update to latest IW 15 release.
However, if that is not a possibility now, it might be possible to fix it if you build it from sources and apply a patch to some parts of the source code.
If you decide to have it fixed in your own version, I'll need to prepare a patch from that specific version.
Reply
#15
Thank you. We are in the process of ordering the new license. We will test again once we upgrade to 15. Thanks again for your help and support.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)