10.4. Step 4: Disable Users Safely

The Vulnerable module's user-disabling functionality leaves a lot to be desired. If a malicious user wanted to block every user on the site, that person could simply create a page full of images:

<img src="http://example.com/vulnerable/csrf-disable/1">
<img src="http://example.com/vulnerable/csrf-disable/2">
<img src="http://example.com/vulnerable/csrf-disable/3">
. . .
<img src="http://example.com/vulnerable/csrf-disable/1000">

And then, even after you strengthened the menu-access check, the intruder would just need to get a user with the administer users permission to view the page. Poof—everyone would be blocked. To fix this, it's possible to unblock users in bulk via the database, but it would be a time-consuming task. A better solution is to add a confirmation form to the process.

Here is the updated code to protect this functionality:

function unvulnerable_account_disable($uid){
  if (is_numeric($uid)) {
    return drupal_get_form('unvulnerable_user_confirm_disable', $uid);
  }
  return t('Error: no user selected to block.'),
}

function unvulnerable_user_confirm_disable($form_state, $uid) {
  $form = array(
    'uid' => array(
      '#type' => 'value',
      '#value' => $uid,
    ),
  );
  return confirm_form($form, t('Are you sure you want to disable user %uid',
    array('%uid' => $uid)), ''),
}

function unvulnerable_user_confirm_disable_submit($form, &$form_state) {
  user_user_operations_block(array($form_state['values']['uid']));
}

There are several changes here. The most important one is that the page has been turned into a form that requires the user to take an action to disable the account. Drupal provides a confirm_form function to make it easier for developers to provide a small confirmation form on pages like this. In addition, Drupal's Form API will insert a form token that prevents many CSRF attacks.

The last change is that instead of querying the database directly to block the user, the code now uses the user_user_operations_block action to disable the user. This is a function provided by the core User module specifically for blocking users. The major benefit of using this API is that it not only alters the account to mark it as blocked but will also destroy any current sessions for the user, preventing those current sessions from continuing to use the site. In general it's better to use the API instead of dealing with the database directly if possible. An API is more likely to handle all of the important details like removing sessions.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.149.253.210