Skip to content

Fix: Allow password reset link when CSRF protection is strict #36400

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: 22.0
Choose a base branch
from
Open

Fix: Allow password reset link when CSRF protection is strict #36400

wants to merge 1 commit into from
+1 −1

Conversation

@atm-jonathan
Copy link
Contributor

@atm-jonathan atm-jonathan commented Nov 24, 2025
edited
Loading

Instructions

When MAIN_SECURITY_CSRF_WITH_TOKEN is set to 2 or 3 (checking GET requests), the validation link fails because:
The user comes from an email, so the request is a GET.
The user is not logged in yet, so there is no active session matching the browser context initially.
The URL generated in the email cannot contain a valid CSRF token.

FIX|Fix

Added define("NOCSRFCHECK", 1); in passwordforgotten.php before including main.inc.php. This explicitly tells the main controller to bypass the generic token check for this specific script.

This change is safe because passwordforgotten.php implements its own verification mechanism later in the code. It verifies the unique and time-sensitive passworduidhash passed in the URL. The generic CSRF token is redundant and technically impossible to provide in this specific "anonymous" workflow.

@eldy
Copy link
Member

eldy commented Nov 24, 2025
edited
Loading

It is safe to disabke CSRF but only when $action == 'validatenewpassword' because the check on the passworduidhash exists only for this case.
So to be more secured, I suggest to modify yur fi wiith

if ($_GET['action'] == 'validatenewpassword') {
define("NOCSRFCHECK", 1);
}

another solution is to exclude the action code validatenewpassword from CSRF from the main.inc.php page:
by changing
if (GETPOSTISSET('massaction') || (strpos($tmpaction, 'display') !== 0 && !in_array($tmpaction, array('create', 'create2', 'createsite', 'createcard', 'edit', 'editcontract', 'editvalidator', 'file_manager', 'presend', 'presend_addmessage', 'preview', 'reconcile', 'specimen')))) {
into
if (GETPOSTISSET('massaction') || (strpos($tmpaction, 'display') !== 0 && !in_array($tmpaction, array('create', 'create2', 'createsite', 'createcard', 'edit', 'editcontract', 'editvalidator', 'file_manager', 'presend', 'presend_addmessage', 'preview', 'reconcile', 'specimen', 'validatenewpassword')))) {

i prefer this second solution so we keep a clear vision of all action code that are excluded from CSRF check.

What is strange to me is that you have the trouve with MAIN_SECURITY_CSRF_WITH_TOKEN=2when you should have it only when MAIN_SECURITY_CSRF_WITH_TOKEN=3.
Can you paste an exemple of link you have with MAIN_SECURITY_CSRF_WITH_TOKEN=2 ?

@eldy eldy added the Discussion Some questions or discussions are opened and wait answers of author or other people to be processed label Nov 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Discussion Some questions or discussions are opened and wait answers of author or other people to be processed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@atm-jonathan @eldy