bmarsh9/gapps

Security Issue: Implement CSRF tokens on profile updates

Opened this issue · 3 comments

There's a security problem on gapps related to CSRF (Cross-Site Request Forgery) tokens, particularly when updating user profiles. Currently, if a user is logged in, their password can be changed without their permission with just one click. This happens because of not using CSRF tokens, which are special codes meant to make sure that the person making changes on the website is the actual user and not someone else trying to interfere. Without these tokens, there's a risk that an outsider could trick a user into clicking a link or a button that would unknowingly change their password or make other unwanted changes to their profile. It's important to fix this to keep users' accounts safe.

@V35HR4J, there are a lot more security issues within gapps, I have reported 11 of them, but there hasn't been any notice or update since June 2023.

@manuel-sommer XSS issues have likely been resolved with other updates. Open a PR in the future.

@V35HR4J Please open a pull request.

As a notice, this is a open-source project and I'm the only maintainer. It provides little value to highlight issues and never open PR's. I encourage you both to open a PR to fix the issue. In the README, it explains the project is still in Beta and should not be used in production.

Eventually I will get around to it, but there's no guarantee. That's why you both should open a PR to fix the issue.

@bmarsh9, I tried to resolve these issues, but I am not familiar enough with flask. However, if you give me a guide in this regards, I can help with PRs. Furthermore, I can retest my findings.