Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-64364

Invalid CSRF token in portlet configuration returns a 200 status code

Details

    Description

      1. Add a portlet that has a "Setup" tab in the Configuration (e.g., Blogs)
      2. Open the Setup tab in its own window (instead of being in a popup). The URL in the browser should look something like http://localhost:8080/web/guest/home?p_p_id=86&p_p_lifecycle=0&p_p_state=pop_up&p_p_mode=view&_86_struts_action=%2Fportlet_configuration%2Fedit_configuration&_86_portletResource=33
      3. Using the browser's developer tools, change the p_auth value of the form's action to another value
      4. Click Save to submit the form

      Result
      The page returns a HTTP 200 OK status code (Note: the page will be blank).
      Expected Result
      The page returns a HTTP 401 Unauthorized or 403 Forbidden status code

      Attachments

        1. Fixed.png
          Fixed.png
          168 kB
        2. ModifiedPAuth.png
          ModifiedPAuth.png
          31 kB

        Issue Links

          Activity

            People

              brian.lee Brian Lee
              samuel.kong Samuel Kong
              Kiyoshi Lee Kiyoshi Lee
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                3 years, 26 weeks, 6 days ago

                Packages

                  Version Package
                  7.0.0 DXP FP97
                  7.0.X
                  7.1.10 DXP FP13
                  7.1.X
                  7.2.10 DXP FP1
                  7.2.1 CE GA2
                  7.2.X
                  7.3.10 DXP GA1
                  Master