Project

General

Profile

Actions

Patch #20203

closed

The test email action should use POST only (CSRF protection)

Added by Holger Just over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Category:
Security
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Right now, an attacker can craft cross-site requests to a Redmine instance under the active session of an administrator which would allow it to send a large amount of test emails to this user. This is possible with a simple img tag like this:

<img src="http://redmine.org/admin/test_email" />

The attached patch fixes this vulnerability by changing the enforced HTTP request method from GET to POST. The patch was extracted from Planio. It applies cleanly on today's trunk.


Files

Actions

Also available in: Atom PDF