projects / civicrm-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 8c0ea1d) | patch
CRM-15247 - CRM_Contact_Page_AJAX::checkUserName - Require a token before checking...
authorTim Otten <totten@civicrm.org>
Sat, 6 Sep 2014 06:11:23 +0000 (23:11 -0700)
committerTim Otten <totten@civicrm.org>
Sat, 6 Sep 2014 07:06:23 +0000 (00:06 -0700)
commit272081ca255b523b753cf3542cbb981198eb2a72
tree85b2a995749bcd16f19da74d469c5eec28a0a2eftree | snapshot (zip tar.gz)
parent8c0ea1d7e8bdddcd0e10acfa6c444551fdb6c0f8commit | diff
CRM-15247 - CRM_Contact_Page_AJAX::checkUserName - Require a token before checking username

The use-case for this function: when a new constituent signs up for a user
account, we give advice on whether the username is available.

Unfortunately, attackers can use that functionality to scan the list of
usernames.  There's no protection from a motivated attacker (except to
disable new signups).

This patch aims to mitigate the problem in two ways:
 - For sites which don't allow user signups, the scanning won't work (b/c
   attackers can't obtain a token).
 - For sites which do allow signups, scanning requires more work
   (to obtain & refresh tokens).
CRM/Contact/Page/AJAX.php diff | blob | blame | history
CRM/Core/Smarty/plugins/function.crmSigner.php [new file with mode: 0644] blob
templates/CRM/common/checkUsernameAvailable.tpl diff | blob | blame | history