Magento CSRF保护 [英] Magento CSRF protection
问题描述
我正在看Magento中的自定义表格。我看过这些教程
I am looking at custom forms in Magento. I saw these tutorials
http://fastdivision.com/2012/03/29/diy-magento-create-ajax-login-registration-forms-for-your-magento-theme/
http://inchoo.net/ecommerce/magento/magento-email/magento-custom-email-contact-form-with-notification-system/
我没有看到任何有关CSRF预防的内容,例如使用用户会话中存储的客户端令牌检查客户端令牌。我还查看了Magento与我们联系的表单,看到了这一点,但我认为它与CSRF不相关:
I did not see any mention of CSRF prevention, like checking a client token with one stored in a user session. I also looked in the Magento Contact Us form, and saw this but I do not think it relates to CSRF:
<input type="text" name="hideit" id="hideit" value="" style="display:none !important;">
Magento是否有用于防止CSRF的默认代码? Mage_Core_Controller_Front_Action的$ this-> getRequest()-> getParams()方法是否可以自动执行任何操作以防止可能丢失的CSRF?
Does Magento have any default code for preventing CSRF? Does the $this->getRequest()->getParams() method of Mage_Core_Controller_Front_Action do anything automatically to prevent CSRF that I may be missing?
推荐答案
最终程序员用户可以使用自己的CSFR /即时保护方案,除非,否则他们将在后端管理控制台中创建页面/表单。默认情况下,Magento管理控制台应用程序对其所有页面/网址具有此保护。
It's on the end programmer user to use their own CSFR/nonce protection scheme, unless they're creating a page/form in the backend admin console. The Magento admin console application has this protection for all its pages/urls by default.
在 app / code / core / Mage / Adminhtml / Controller /中检出。可以很容易地将其扩展到您自己的前端表单上。 _validateSecretKey app / code / core / Mage / Adminhtml / Model / Url.php <中的Action.php 和 getSecretKey 方法
Check out _validateSecretKey in app/code/core/Mage/Adminhtml/Controller/Action.php and the getSecretKey method in app/code/core/Mage/Adminhtml/Model/Url.php. This could easily be extended to your own forms on the frontend.
这篇关于Magento CSRF保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
