Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-64364

Invalid CSRF token in portlet configuration returns a 200 status code

    Details

      Description

      1. Add a portlet that has a "Setup" tab in the Configuration (e.g., Blogs)
      2. Open the Setup tab in its own window (instead of being in a popup). The URL in the browser should look something like http://localhost:8080/web/guest/home?p_p_id=86&p_p_lifecycle=0&p_p_state=pop_up&p_p_mode=view&_86_struts_action=%2Fportlet_configuration%2Fedit_configuration&_86_portletResource=33
      3. Using the browser's developer tools, change the p_auth value of the form's action to another value
      4. Click Save to submit the form

      Result
      The page returns a HTTP 200 OK status code (Note: the page will be blank).
      Expected Result
      The page returns a HTTP 401 Unauthorized or 403 Forbidden status code

        Attachments

        1. Fixed.png
          Fixed.png
          168 kB
        2. ModifiedPAuth.png
          ModifiedPAuth.png
          31 kB

          Issue Links

            Activity

              People

              Assignee:
              brian.lee Brian Lee
              Reporter:
              samuel.kong Samuel Kong
              Participants of an Issue:
              Recent user:
              Yunlin "Steven" Sun
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                2 years, 20 weeks ago

                  Packages

                  Version Package
                  7.0.0 DXP FP97
                  7.0.X
                  7.1.10 DXP FP13
                  7.1.X
                  7.2.10 DXP FP1
                  7.2.1 CE GA2
                  7.2.X
                  7.3.10 DXP GA1
                  Master