DOKK / manpages / debian 12 / libcgi-application-plugin-protectcsrf-perl / CGI::Application::Plugin::ProtectCSRF.3pm.en
CGI::Application::Plugin::ProtectCSRF(3pm) User Contributed Perl Documentation CGI::Application::Plugin::ProtectCSRF(3pm)

CGI::Application::Plugin::ProtectCSRF - generate and verify anti-CSRF tickets

1.01

  use Your::App;
  use base qw(CGI::Application);
  use CGI::Application::Plugin::Session; # mandatory !!
  use CGI::Application::Plugin::ProtectCSRF;
  sub input_form : PublishCSRFID {
    my $self = shift;
    do_something();
  }
  sub finish : ProtectCSRF {
    my $self = shift;
    $self->clear_csrf_id;
    do_something();
  }

CGI::Application::Plugin::ProtectCSRF provides tools to protect forms in CGI::Application web applications from CSRF attacks. Run mode handlers may be declared with the "PublishCSFRID" or "ProtectCSFR" attributes. The former should usually be applied to a run mode, whose HTML includes a "form" tag. In this case a ticket is generated and stored in the session during a prerun callback and a "hidden" control field, publishing the ticket, is added to the form during a postrun callback. Conversely the "ProtectCSRF" attribute should normally be applied to the corresponding run modes that process data from a submitted form. A prerun callback checks for the hidden field and checks that it matches the ticket saved in the session. If the check fails the page is redirected to a customizable error page. On success the form processing run mode should use the "clear_csrf_id" method, so that subsequent calls to forms from that session will generate fresh tickets.

Run modes declared with the "PublishCSRFID" attribute, take the following actions:

  # publish CSRF ticket
  sub input_form : PublishCSRFID {
    my $self = shift;
    return <<HTML;
  <form action="foo" method="post">
  <input type="text" name="name">
  <input type="submit" value="submit!">
  <input type="hidden" name="rm" value="finish">
  </form>
  HTML
  }
  
  # display html source
  <form action="foo" method="post">
  <input type="hidden" name="_csrf_id" value="random string" /> <- insert hidden field
  <input type="text" name="name">
  <input type="submit" value="submit!">
  <input type="hidden" name="rm" value="finish">
  </form>

Run modes declared with the "ProtectCSRF" attribute, take the following actions:

  sub finish : ProtectCSRF {
    my $self = shift;
    # required! Unless forms and their processing are tightly
    # coupled by clearing the ticket between invocations,
    # the meaning of the ticket is lost.
    $self->clear_csrf_id;
    # The processing that you want to perform (DB processing etc)
    do_something();
  }

This method returns the CSRF ticket saved in the session.

Example:

  sub input_form : PublishCSRFID {
    my $self = shift;
    my $csrf_id = $self->csrf_id;
    do_something();
  }

This method initializes the ProtectCSRF state using any configuration options that were passed to it. The available options are:

csrf_id - The name of the session parameter used to store the CSRF ticket.This defaults to "_csrf_id".

Example:

  sub cgiapp_init {
    my $self = shift;
    $self->tmpl_path("/path/to/template");
    $self->protect_csrf_config(
                           csrf_error_status     => 403, # change forbidden
                           csrf_error_tmpl       => "csrf_error.tmpl",
                           csrf_error_tmpl_param => { TITLE => "CSRF ERROR", MESSAGE => "your access is csrf!"},
                           csrf_id               => "ticket_id",
                           csrf_post_only        => 1
                         );
  }
  # csrf_error.tmpl
  <html><head><title><TMPL_VAR NAME=TITLE ESCAPE=HTML></title></head>
  <body>
  <h1>CSRF Error</h1>
  <span style="color: red"><TMPL_VAR NAME=MESSAGE ESCAPE=HTML></span>
  </body>
  </html>

This method clears the CSFR ticket. This should be done during the processing of a form request.

Example :

  sub cgiapp_init {
    my $self = shift;
    $self->protect_csrf_config;
  }
  sub input {
    my $self = shift;
    do_something(). # input form display..
  }
  
  sub confirm : PublishCSRFID {
    my $self = shift;
    do_something(). # publish csrf_id and input check and confirm display..
  }
  sub complete : ProtectCSRF {
    my $self = shift;
    $self->clear_csrf_id(1); # clear csrf_id for CSRF protect
    do_something();          # DB insert etc..
  }

prerun callback

prerun callback

postrun callback

This module should not be seen as a panacea for all web security issues. The user should fully understand and act on all security threats his application may face, including whether this module is an adequate and useful tool.

Attribute::Handlers, Carp, CGI::Application, CGI::Application::Plugin::Session, Digest::SHA, Exporter, HTML::TokeParser, HTML::Template

Akira Horimoto <kurt0027@gmail.com>

Copyright (C) 2006 - 2008 Akira Horimoto

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

2022-06-09 perl v5.34.0