Post by straightlight » Thu Feb 15, 2018 5:52 am

The XML file may have been removed due to the mount of installed extensions by merchants that were interfering with the CSRF extension. By posting each inquiries about the CSRF protection form on this topic, at least I can identify each issues that needs to be resolved eventually and from which end-side this issue is actually happening from.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Thu Feb 15, 2018 9:40 am

Alright folks. Tonight (my end) I have re-worked on the CSRF protection form extension and I just finished tested it by creating a new helper file. So far, everything runs successfully without the need to do a single manual operation. The CSRF hidden input type appears from the source as expected automatically without overriding any core files. Tomorrow, I will be publishing a new OCMod release for v2.x and v3.x releases.

The only hope you'd need to have is when the install.xml file from the OCMod will track its only needed line that this line is not already in use by other extensions. No worries, your store won't be broken but you will simply have to make minor adjustments to the install.xml file.

In addition, I have tested this with TWIG files compared to TPL files, it makes no difference; the CSRF hidden input field still appears from the view source to protect the store.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by davidbfranks » Thu Feb 15, 2018 10:32 pm

straightlight wrote:
Thu Feb 15, 2018 9:40 am
Alright folks. Tonight (my end) I have re-worked on the CSRF protection form extension and I just finished tested it by creating a new helper file. So far, everything runs successfully without the need to do a single manual operation. The CSRF hidden input type appears from the source as expected automatically without overriding any core files. Tomorrow, I will be publishing a new OCMod release for v2.x and v3.x releases.

The only hope you'd need to have is when the install.xml file from the OCMod will track its only needed line that this line is not already in use by other extensions. No worries, your store won't be broken but you will simply have to make minor adjustments to the install.xml file.

In addition, I have tested this with TWIG files compared to TPL files, it makes no difference; the CSRF hidden input field still appears from the view source to protect the store.
Will you also post an updated 1.5.6.4 version?

Thanks

Active Member

Posts

Joined
Mon Mar 04, 2013 10:31 pm
Location - London

Post by straightlight » Fri Feb 16, 2018 5:53 am

v1.5x releases remains manual. Automated CSRF protection tokens will be supported starting from v2.x releases.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Fri Feb 16, 2018 8:27 am

As promised:
[15-02-2018] - CSRF for OC v2.x and v3.x releases

The day has finally arrived. The CSRF protection form extension is now protecting the entire Opencart HTML forms that involves posting information to the store. Simply use VQMod and VQMod Manager to compare the lines at your discretion to the targeted file. Only new files, no core files overwritten. Not a single CSRF attacker / flooder will be able to submit bot scripts to auto-register customer / affiliate accounts from now on.
Check it out on the Marketplace for the new version of the CSRF Protection form. For v1.5x users, it has not been tested but the VQMod XML file can be modified by searching the right lines on the same targeted files. Using VQMod Manager would still be a good suggestion to avoid confusing your other installed extensions.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by paradoxx » Sat Feb 17, 2018 3:22 am

Hi,

I downloaded the file but I cant find any readme inside. I would like to know if OC 1.5.5.1 is supported.

New member

Posts

Joined
Sun Jun 30, 2013 5:56 am

Post by paradoxx » Sat Feb 17, 2018 3:26 am

now I see that you posted an update, I just downloaded the file a couple of days ago and there were still included some OC 1x Versions.

New member

Posts

Joined
Sun Jun 30, 2013 5:56 am

Post by straightlight » Sat Feb 17, 2018 6:40 am

In the provided XML file, simply replace the search line for your preferred line to look for from your admin/controller/common/header.php file and your catalog/controller/common/header.php file for v1.5x releases. This is the same process as the v2.x releases and v3.x releases in this case.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by huubert2 » Sat Feb 17, 2018 10:02 pm

I seem to have an issue with the updated extension.
It works fine on the admin side - code is loaded into the header and hidden input appears in source.
Does not work in the front though. vq2-catalog_controller_common_header.php in vqcache shows that the xml seems to have done it's job fine (just like with the admin):

Code: Select all

		$data['currency'] = $this->load->controller('common/currency');
 
			$this->load->helper('csrf_helper');
			
			csrf_start();
			
		$data['search'] = $this->load->controller('common/search');
But hidden input does not appear anywhere in the front. Have tried to troubleshoot it since a few hours but no luck so far. Nothing in the logs either.

OC 2.1.0.2.

Any help would be appreciated.

Newbie

Posts

Joined
Sat Feb 17, 2018 9:52 pm

Post by wektech » Mon Feb 19, 2018 1:58 am

I too see it working on admin but not customer side, do i need to modify my template files?

Newbie

Posts

Joined
Thu Aug 27, 2015 1:01 am

Post by straightlight » Mon Feb 19, 2018 2:17 am

No, you may simply need to modify the XML file where the catalog/controller/common/header.php file looks for its line. To ensure proper tracking without conflict, I would suggest to use the VQMod Manager from the marketplace . Either an invalid line, from your store, is being looked or the line does exist but may conflict the research for another extension. VQMod Manager will notify you on its monitor.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by huubert2 » Mon Feb 19, 2018 2:42 am

straightlight wrote:
Mon Feb 19, 2018 2:17 am
No, you may simply need to modify the XML file where the catalog/controller/common/header.php file looks for its line. To ensure proper tracking without conflict, I would suggest to use the VQMod Manager from the marketplace . Either an invalid line, from your store, is being looked or the line does exist but may conflict the research for another extension. VQMod Manager will notify you on its monitor.
Thanks for the reply.
In my case the VQMod Manager does not display anything, neither does error log. The line is added correctly to the vqcache, but after that point it does not work for some reason.

Newbie

Posts

Joined
Sat Feb 17, 2018 9:52 pm

Post by straightlight » Mon Feb 19, 2018 4:22 am

but after that point it does not work for some reason.
If you see the VQCache results, what do you mean by does not work? Please, clarify the statement.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by wektech » Mon Feb 19, 2018 4:36 am

When viewing the source code the hidden field is not showing on customer facing forms but is on admin facing.

Newbie

Posts

Joined
Thu Aug 27, 2015 1:01 am

Post by huubert2 » Mon Feb 19, 2018 4:45 am

straightlight wrote:
Mon Feb 19, 2018 4:22 am
If you see the VQCache results, what do you mean by does not work? Please, clarify the statement.
vq2-catalog_controller_common_header.php in vqcache shows that the xml seems to have done it's job fine (just like with the admin):

Code: Select all

		$data['currency'] = $this->load->controller('common/currency');
 
			$this->load->helper('csrf_helper');
			
			csrf_start();
			
		$data['search'] = $this->load->controller('common/search');
But the hidden input does not appear anywhere in the frontend when I look at the page source. It does appear in the admin though.

Newbie

Posts

Joined
Sat Feb 17, 2018 9:52 pm

Post by straightlight » Mon Feb 19, 2018 5:49 am

Ok, I fixed the XML by cloning the buffer from the helper. Re-download the package and follow my instructions from my last post on the comment page on the marketplace.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by huubert2 » Mon Feb 19, 2018 6:27 pm

straightlight wrote:
Mon Feb 19, 2018 5:49 am
Ok, I fixed the XML by cloning the buffer from the helper. Re-download the package and follow my instructions from my last post on the comment page on the marketplace.
Thanks for the update.
Unfortunately the fix only seems to work on OC3 for the front, as the xml changes only .twig files.

Newbie

Posts

Joined
Sat Feb 17, 2018 9:52 pm

Post by straightlight » Mon Feb 19, 2018 6:30 pm

Simply change all instances of: *.twig to *.tpl in the XML file . I simply didn't thought on separating the versions when I updated it. I will do it a bit later on today.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by Pamela1972 » Mon Feb 19, 2018 8:02 pm

Who would i contact to install this for me?? Ive tried downloading and uploading the two files and i never get an option to install CSRF Protection Form in my admin area. Im no where near savvy enough to do this on my own without screwing something up and reading this thread is really overwhelming me.

Newbie

Posts

Joined
Sat Feb 17, 2018 1:10 am

Post by straightlight » Tue Feb 20, 2018 1:15 am

Who would i contact to install this for me??
As per the first post of this topic, I am the developer of this extension. I sent you a PM for the installation.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Who is online

Users browsing this forum: No registered users and 22 guests