I came across a really strange issue today and couldn't find any solution. I am using CakePHP 3 along with MySQL and Apache. Everything was working perfect until today but when I tried to edit one of the forum post, it didn't save and I got 403 Forbidden response. Following is the response I got:
Request URL:https://www.example.com/users/edit/2
Request Method: POST
Status Code:403 Forbidden
The strange part is that it is working fine when I try to create new forum post as well as for GET request when I load the edit page. But when I modify the fields and try to save, I get stuck with 403 Forbidden.
I tried every mean in last 6 hours but could not find any solution. I checked database user for edit permissions, tried to remove .htaccess file completely, cleared browser cache and cookies but nothing helped at all. The other websites in hosting account are working fine and there is no issue with them.
The only notable thing I did today is I initialized GIT repository and uploaded project files on git. I would really appreciate your help in solving this issue. It is really a constant headache not to be able to modify anything.
Just for the future reference, I solved this issue by explicitly defining request type to POST in $this->Form->create function.
It was one of the strangest error I came across while using CakePHP 3! Not sure why default PUT method was not working. It was converting to GET.
Huh, finally i found the culprit itself by my own.. This is the explanation that i got, here you go:
If you are using csrf for security in cakephp you might found that every damn POST,GET,PUT in ajax or form will be filtered by cakephp and if not auth found cakephp will respond with 403 HTTP Status..
That mean you have to put some csrf token that like a bearer token on every your request so the cakephp recognize that request. See, if you are using AJAX call so you have to put csrf token manually explained here : https://book.cakephp.org/3.0/en/controllers/components/csrf.html
If you created a form manually you have to put the token inside the form itself, if you creating a form using cakephp helper you will see that cakephp generated some hidden parameter like this one
<form enctype="multipart/form-data" method="post" accept-charset="utf-8" action="/SFW/CMS/event/comment">
<div style="display:none;">
<input type="hidden" name="_method" value="POST">
<input type="hidden" name="_csrfToken" autocomplete="off" value="2a39630d2a1c20d43xxxx">
</div>
......
So the option is only put those hidden field on your manually generated form.
Good luck
If you don't care about security you can disable the middleware check in your controller:
public function beforeFilter(Event $event)
{
$this->getEventManager()->off($this->Csrf);
}
Reference:
https://book.cakephp.org/3/en/controllers/components/csrf.html
Related
Our portal has been running on Liferay 6.2 for several years. We have many services that use HTML forms (usually written with Alloy UI in Freemarker) to allow users to submit requests. The server code is written in Java and uses the liferay portletrequest objects to return the submit form data.
However, recently these forms suddenly stopped working.
Specifically: if the form includes a file for uploading, then the ActionRequest object does not return any of the form fields as parameters the way it usually does (request.getparameter(paramtername) returns null instead of the string value that the user entered into the form). If the user does not include any files then it works normally.
This doesn't seem to be an issue with the forms or the java code as many forms who's code has not been touched in years suddenly stopped working. What's more this stopped working partway through a day in which we didn't make any changes to the application.
I'm struggling to understand what I'm seeing in the logs. The error messages that feel most promising look like:
Caused by: org.apache.commons.fileupload.FileUploadBase$IOFileUploadException: Processing of multipart/form-data request failed. Stream ended unexpectedly
at org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:351)
at org.apache.commons.fileupload.portlet.PortletFileUpload.parseRequest(PortletFileUpload.java:109)
at org.springframework.web.portlet.multipart.CommonsPortletMultipartResolver.parseRequest(CommonsPortletMultipartResolver.java:151)
... 208 more
But I haven't been able to find anything that seems relevant. Another type of error that might be related looks like:
10:00:09,095 WARN [http-bio-8080-exec-272][FileImpl:422] Unable to extract text from Scan4.JPG
org.apache.tika.exception.TikaException: Unexpected RuntimeException from org.apache.tika.parser.jpeg.JpegParser#3e34efc2
We've been trying to track down the issue for days now, I'm desperate and out of ideas. Can anyone think of any possible reasons why files would not upload?
I've been stuck in a weird problem for a couple of days. All my web application routes are working fine except one. Its has a 404 not found issue. So I checked:
My Routes list. It exists.
| | GET|HEAD | dashboard/profile/create | profile.create | App\Http\Controllers\Dashboard\ProfileController#create | web
URI in Routes list & Request URL in search box matches.
Request URL: http://localhost/CMSsk/CMS/public/dashboard/profile/create
Checked my blade Layout. No Problems.
<i class="fas fa-briefcase fa-2x mr-2"></i>Add Credentials
Cheked Controller. It exists.
public function create()
{
$user = Auth::user();
return view('Dashboard.Profile.profile-create',compact('user'));
}
Cheked Apache2 Rewrite module (Enabled) & Override ALL.
Used PHPUnit & Chrome Browser devtools to check networks,console,Apllication Cookies,storage. Can't find any issues other than 404.
Used PHPUnit testing and XDebug,dd() to trace problem. The Code doesn't reach Controller method.
Checked ALL possible Stack Overflow issues. Did not solve the problem.
Cleared browser Cache.
Did:
php artisan route:cache
Q: What are other possible issues that I might not have checked to solve this simple yet complicated issue?
Note: I referenced the form Page from another page which has a Social Media Sharing 3rd party Plugin Installed(AddThis). Hence I tried other form pages & other links from there and it works. So I'm confused why Only one page has issue(I thought the Plugin may have effect).
Update:
I fixed the Solution but I wanted to share how I did just so that anyone who stumbles upon this scenario finds some help.So here it goes:
Solution:
I created a Route group first which had the prefix named profile. It had 19 routes. Immediately after that I Created a Resource Route which had it's name prefix. So the two Identical names had a conflict for which I was not getting the page.
How I figured out:
I almost ran out of all possible solutions. So I started Manually testing the routes just to figure out if there's a pattern developing. I know it's not the most effective way but I wanted to figure out a pattern that's why I did it. After testing the Route group prefix named profile I figured out that all routes inside this group are NOT working from where I called it. Then I tested Routes outside that group from that specific blade view and it was working. So I changed the name of the Resource Route just to make it distinct from the Route group prefix. And it worked!
I am using contact form 7 version 4.9
When I try to submit the form, POST request is sent to this endpoint
/wp-json/contact-form-7/v1/contact-forms/<form id>/feedback
But it gets 301 Moved Permanently and GET request is sent to the endpoint /wp-json/contact-form-7/v1/contact-forms/<form id>/feedback again.
As a result, I get this response {"code":"rest_no_route","message":"No route was found matching the URL and request method","data":{"status":404}} and form is not submitted.
Form is working on my local correctly but occurs error on server.
Anyone has ideas?
Thanks in advance for your help.
I have solution tested and working for me
Please downgraded to version 7.4.7 https://downloads.wordpress.org/plugin/contact-form-7.4.7.zip it will work good
I have a similar issue and solved it when I noticed the WordPress install did not have a .htaccess file. I created a default .htaccess file and this fixed my contact form.
I am learning about protecting a website from unauthorized access and I have came across anti forgery. Here is my thought (and my problem I have with it). Please correct me if I am wrong.
Anti-forgery is in the ASP.NET MVC Applications handled (there might be many other ways, but this one is quite common) by inserting #Html.AntiForgeryToken() to the Form that is present on a webpage.
This token is afterwards used once user tries to POST the data to the system, where if we decorate our IActionResult or JsonResult method with [ValidateAntiForgeryToken] attribute, it checks whether the key matches the expected result. Here is an example of what I mean by decoration:
[Route("")]
[HttpPost("")]
[ValidateAntiForgeryToken]
public JsonResult UpdateRecords([FromBody]CustomRequest request)
{
if (ModelState.IsValid)
{
//...do some logic here
}
}
The reason why a webistes are using anti-forgery keys are, so that we do not want to allow unauthorized access to our business objects such as databases. The problem is, that if a website uses a cookie authentification, that is stored to a local cache, hackers can easily retrieve this stored value and use it when posting the data to our website. Due to that, we are implementing another level of protection, which is by inserting a special (unique) key to a webpage, which is being check upon posting the data. If the key is not matching, then the whole posting procedure fails.
Here is the thing I do not understand. Let's say that we have implemented our anti forgery on super simple form on our webpage like this:
<form method="post" ng-submit="addItem()" id="main-form">
#Html.AntiForgeryToken()
<input placeholder="Add New Item" ng-model="newItem" id="new-item" />
</form>
I know it does nothing, but let's imagine that by clicking the input button user tries to post some data to the database. If we inspect the webpage, we will suddenly see, that this is what the HTML generated code would look like:
<form class="ng-pristine ng-valid" method="post" ng-submit="addItem()" id="main-form">
<input name="__RequestVerificationToken" value="CfDJ8Ig8dRjRrw9FjKYv6kYaxVu7APOddjpVxQ3ZxGaamjVzV03eQEG7tgRe5q2uXJkKkbUf4RqzRCtJ1DGMK5C-ymroTBe_J9XQ-...(more text here )" type="hidden">
<input class="ng-pristine ng-valid ng-touched" placeholder="Add New Item" ng-model="newItem" id="new-item">
</form>
Now here, what I (and potential hacker) can see, is the special anti-forgery key we have just talked about. How come that this key is visible to anyone using the website? What I understand from this is, that we are basically serving our code to the hacker and he can now easily use it when posting to the database in order to authenticate himself; or am I wrong?
I am quite confused at the moment and therefore any help / info or recommendation regarding this matter would be more than appreciated.
The token is there to prevent people from falsifying form requests. It's also regenerated each time it's required - at least per-user and probably per-request (I am not sure on this last point). This means the attacker can't just copy their own token, or make it up; they would have to take it from the user's page and if they can do that then they probably have enough information to bypass the token anyway.
An attacker could craft a form on another website with some values and point it at a page on your website. If the admin submits this form (unwittingly through javascript, for example) then they have effectively just performed that action with their privileges and with the values specified by the attacker. This is bad, with sufficient knowledge you could trick someone into deleting an account, posting something obscene, etc.
Consider:
<form action="?login" method="post"> <button>Login with Google</button> </form>
I usually see the action refer to a PHP or HTML file, but the "?login" stumps me.
Background information:
This is buried within the example-google.php file from lightopenid framework. I've been staring at the OpenID code to use Google as a third-party OpenID provider for user login on my web site and the sample code all works.
I am trying to get a clearer picture of what the framework is doing when the user presses the login button. I know that we must be sending a bunch of arguments to Google on this button action, but the ?login doesn’t seem to point anywhere.
http://gitorious.org/lightopenid
A question mark denotes the query string.
It will post to the current URL with a query string parameter of login. I am not sure how you are processing the request after you click submit (post the form), but usually it would have a value assigned to it as in login=value.
It means:
http://whatever/the-current-page-url-is?login (where "login" is the query string).
It is a relative-URI notation, similar to <img src="foo.jpg"> -- note the rest of the URI was not specified explicitly.
Happy coding