Project

General

Profile

Actions

Anomalie #1720

open

CSRF check fails on system error

Added by Guillaume AGNIERAY 6 months ago. Updated 6 months ago.

Status:
Nouveau
Priority:
Bas
Category:
Core
Target version:
-
Start date:
10/10/2023
Due date:
% Done:

0%

Estimated time:
Version utilisée:

Description

Message : Échec de la vérification CSRF !
Fichier : /var/www/galette/galette/includes/dependencies.php
Ligne : 459

#0 /var/www/galette/galette/vendor/slim/csrf/src/Guard.php(497): {closure}()
#1 /var/www/galette/galette/vendor/slim/csrf/src/Guard.php(458): Slim\Csrf\Guard->handleFailure()
#2 /var/www/galette/galette/vendor/slim/slim/Slim/MiddlewareDispatcher.php(121): Slim\Csrf\Guard->process()
#3 /var/www/galette/galette/lib/Galette/Middleware/Language.php(86): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#4 /var/www/galette/galette/vendor/slim/slim/Slim/MiddlewareDispatcher.php(168): Galette\Middleware\Language->_invoke()
#5 /var/www/galette/galette/lib/Galette/Middleware/Telemetry.php(86): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#6 /var/www/galette/galette/vendor/slim/slim/Slim/MiddlewareDispatcher.php(168): Galette\Middleware\Telemetry->
_invoke()
#7 /var/www/galette/galette/includes/main.inc.php(212): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#8 /var/www/galette/galette/vendor/slim/slim/Slim/MiddlewareDispatcher.php(269): Closure->{closure}()
#9 /var/www/galette/galette/vendor/slim/slim/Slim/Middleware/RoutingMiddleware.php(45): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#10 /var/www/galette/galette/vendor/slim/slim/Slim/MiddlewareDispatcher.php(121): Slim\Middleware\RoutingMiddleware->process()
#11 /var/www/galette/galette/vendor/slim/slim/Slim/Middleware/ErrorMiddleware.php(76): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#12 /var/www/galette/galette/vendor/slim/slim/Slim/MiddlewareDispatcher.php(121): Slim\Middleware\ErrorMiddleware->process()
#13 /var/www/galette/galette/vendor/slim/twig-view/src/TwigMiddleware.php(115): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#14 /var/www/galette/galette/vendor/slim/slim/Slim/MiddlewareDispatcher.php(121): Slim\Views\TwigMiddleware->process()
#15 /var/www/galette/galette/vendor/slim/slim/Slim/MiddlewareDispatcher.php(65): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#16 /var/www/galette/galette/vendor/slim/slim/Slim/App.php(199): Slim\MiddlewareDispatcher->handle()
#17 /var/www/galette/galette/vendor/slim/slim/Slim/App.php(183): Slim\App->handle()
#18 /var/www/galette/galette/includes/main.inc.php(244): Slim\App->run()
#19 /var/www/galette/galette/webroot/index.php(57): require_once('...')
#20 {main}

Actions #1

Updated by Johan Cwiklinski 6 months ago

  • Category changed from Files generation to Core
  • Assignee set to Johan Cwiklinski

I confirm I can reproduce using drag& drop on your "crop branch" (d&d on demo does not work).

It strange because error on exceeded size is displayed with 3.9Mio file; and I get the CSRF error with a 7.4Mio one... I'll take a look.

Actions #2

Updated by Johan Cwiklinski 6 months ago

  • Priority changed from Normal to Bas

I absolutely do not understand what is happening here... Event this is a PHP or a Slim framework behavior; but with very large images, nothing is sent back with ajax request when it's sent to CSRF check middleware: request body is entirely empty.

I was about to send a message on Slim support; but it's quite hard to explain, and they'll ask for a reproducible case. Also, I'm not 100% sure this is a Slim, a CSRF guard or a Galette issue...

The UI display a message indicating image upload has failed; it's probably enough most of the time, and wa also can adapt the message with something like "maybe your image is too heavy".

Anyway, I've changed priority, we can see that later.

Actions #3

Updated by Johan Cwiklinski 6 months ago

  • Subject changed from CSRF check fails when uploading big files to CSRF check fails on system error

In facts, a warning is displayed in PHP system logs, because the post_max_size limit has been reached. I've not been able to catch it Galette side:

PHP Warning:  PHP Request Startup: POST Content-Length of 10349468 bytes exceeds the limit of 8388608 bytes in Unknown on line 0

It seems like the same issue appears when the max_input_vars limit is reached; we only see a CSRF issue; because in those case the POST request is empty (and therefore does not contains the valid CSRF).
It also seems this appears on ajax requests; not on regular ones (I'm not sure for max_input_vars but I am for post_max_size

Actions

Also available in: Atom PDF