Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-81234

CSRF protection can be globally disabled

    Details

      Description

      As of https://docs.liferay.com/portal/7.1-latest/propertiesdoc/portal.properties.html#Authentication%20Token (analog for previous versions) it's possible to disable CSRF protection (seems to be introduced in LPS-8399) globally. As this is a safe way to disaster if anyone ever does so: Should this still be configurable?

      I'm assuming that this configuration option was introduced originally in fear of breaking apps, so that it could be bypassed as a quick fix. These days it's a feature that can only be used to utterly break security and I'd argue that Liferay shouldn't give users such a powerful way to harm themselves.

      As a minimum, the properties explanation should be a lot more drastical, but ideally this feature should be removed.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                2 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  1 year, 13 weeks ago

                  Packages

                  Version Package
                  7.1.10 DXP FP1
                  7.1.1 CE GA2
                  7.1.10.1 SP1
                  7.1.X
                  Master