Remove CSRF protection from username/password login and from OpenID login.

2010-09-05 17:35:43 -04:00 · 2010-09-05 17:35:43 -04:00 · 3dd734b2c3
commit 3dd734b2c3
parent 86a702953a
2 changed files with 1 additions and 28 deletions
--- a/actions/login.php
+++ b/actions/login.php
@ -118,27 +118,10 @@ class LoginAction extends Action
     * @return void
     */

-    function checkLogin($user_id=null, $token=null)
+    function checkLogin($user_id=null)
    {
        // XXX: login throttle

-        // CSRF protection - token set in NoticeForm
-        $token = $this->trimmed('token');
-        if (!$token || $token != common_session_token()) {
-	    $st = common_session_token();
-	    if (empty($token)) {
-		common_log(LOG_WARNING, 'No token provided by client.');
-	    } else if (empty($st)) {
-		common_log(LOG_WARNING, 'No session token stored.');
-	    } else {
-		common_log(LOG_WARNING, 'Token = ' . $token . ' and session token = ' . $st);
-	    }
-
-            $this->clientError(_('There was a problem with your session token. '.
-                                 'Try again, please.'));
-            return;
-        }
-
        $nickname = $this->trimmed('nickname');
        $password = $this->arg('password');

@ -261,7 +244,6 @@ class LoginAction extends Action
        $this->elementEnd('li');
        $this->elementEnd('ul');
        $this->submit('submit', _('Login'));
-        $this->hidden('token', common_session_token());
        $this->elementEnd('fieldset');
        $this->elementEnd('form');
        $this->elementStart('p');
--- a/plugins/OpenID/openidlogin.php
+++ b/plugins/OpenID/openidlogin.php
@ -42,14 +42,6 @@ class OpenidloginAction extends Action

            oid_assert_allowed($openid_url);

-            # CSRF protection
-            $token = $this->trimmed('token');
-            if (!$token || $token != common_session_token()) {
-                // TRANS: Message given when there is a problem with the user's session token.
-                $this->showForm(_m('There was a problem with your session token. Try again, please.'), $openid_url);
-                return;
-            }
-
            $rememberme = $this->boolean('rememberme');

            common_ensure_session();
@ -136,7 +128,6 @@ class OpenidloginAction extends Action
        $this->elementStart('fieldset');
        // TRANS: OpenID plugin logon form legend.
        $this->element('legend', null, _m('OpenID login'));
-        $this->hidden('token', common_session_token());

        $this->elementStart('ul', 'form_data');
        $this->elementStart('li');