As I am developing a theme for OJS3 for a public use, I would like to know more about {csrf} function inside Smarty, which is assigned inside PKPTemplateManager class through register function.
It is used, for example, here:
So, in order to prevent these attacks, I must also put this function inside forms? And it is unsafe not to do so?
Hi @Vitaliy,
Consider a social engineering attack where one of your editors is tricked into viewing an attacker’s webpage. (A common example is an emailed HTML form or an emailed link to an attacker’s wepage.) It would be easy for the attacker to construct an HTML form that POSTed directly to OJS, e.g. deleting a journal, as they would just need to construct the target URL and journal ID. If they could trick the editor into POSTing that form through their browser, OJS would accept the POST because it would have all the right data and the editor’s browser would have a valid session.
CSRF checks help prevent this kind of attack by adding a secret piece of data that must match OJS’s expectations. The {csrf} Smarty function adds this to the form.
If you need {csrf} to be in your Smarty code but forget it, when you attempt to POST the form, you’ll get a message like “The form was not sent correctly.”
Regards,
Alec Smecher
Public Knowledge Project Team
how i can implement csrf on OJS 2.4.8-3
Hi @yendrycl,
You could review the code that was added to OJS 3.0 originally – that’s over in [OJS] GET used for changing state of the system · Issue #1131 · pkp/pkp-lib · GitHub. However, this will not apply directly to OJS 2.x and adapting it will be a lot of work. I’d strongly suggest investing the effort into upgrading to OJS 3.x instead.
Regards,
Alec Smecher
Public Knowledge Project Team