[FR] Config setting for changing the name of x-craft-preview and x-craft-live-preview query params #15605
-
|
Could we get config settings for changing the parameter names, similar to what we have with Since yesterday we're seeing DDOS attacks/vulnerability probing using x-craft-preview on several of our sites. With the cache poisoning issue being taken care of via #15589, it would be good to be able to mitigate the DDOS attacks by obfuscating the parameters, especially since they now will bypass the template caching. Hopefully there isn't a vulnerability related to outputting the preview parameter from untrusted sources to twig/urls, but considering that it's just a random string that isn't validated in any way, maybe it would be safer to just generate a new random string for each request, instead of using whatever is passed in? Or, add some kind of validation like the tokenParam has. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 6 replies
-
A new random value is generated each time there is a content edit, to ensure that the browser doesn’t load the page from cache when we know something has changed. I don’t think there would be any benefit to changing it more frequently than that.
I like that idea. Just made that change for Craft 4.12 and 5.4 (f82baa7). So going forward, |
Beta Was this translation helpful? Give feedback.
-
|
FYI, the bot attacks we're seeing are specifically using bogus/trash/random values for |
Beta Was this translation helpful? Give feedback.
-
|
I'm not sure if this fix helps with either of the two issues I addressed. It's still possible to pass whatever content a malicious user wants to the preview param, and it will end up in the DOM of the page. Additionally, since To clarify what I meant with creating a new random value; I understand that a new random value is generated for each request, what I proposed was not to use the value that is passed through the param, when creating new URLs. Currently, if I request a page with And even though this helps slightly with DDOS attacks since the page will be cached, I would really prefer to be able to obfuscate the names to avoid it altogether. |
Beta Was this translation helpful? Give feedback.
-
|
It seems to me that as long as f82baa7 is amended so that invalid preview param values aren't added to generated URLs, it should mitigate both issues – i.e. both the DDOS/bot attacks currently exacerbated by preview params being used to bypass caches, as well as the ability for bad actors to inject random content into URLs (and potentially having those cached and indexed, with potential for reputational damage). I still think configurable preview param names is a really good idea though, would love to have that in addition to the above 🙂 |
Beta Was this translation helpful? Give feedback.
-
Yeah good call. Just made that change as well. (ca91aa3) |
Beta Was this translation helpful? Give feedback.
-
|
Craft 4.12.0 and 5.4.0 are out now with those |
Beta Was this translation helpful? Give feedback.
A new random value is generated each time there is a content edit, to ensure that the browser doesn’t load the page from cache when we know something has changed. I don’t think there would be any benefit to changing it more frequently than that.
I like that idea. Just made that change for Craft 4.12 and 5.4 (f82baa7). So going forward,
craft\web\Request::getIsPreview()will only returntrueif thex-craft-preview/x-craft-live-preview…