firewall issueshttps://lab.civicrm.org/extensions/firewall/-/issues2024-03-26T00:03:43Zhttps://lab.civicrm.org/extensions/firewall/-/issues/34Payment fails on Drupal 9.2+ webforms for anonymous users2024-03-26T00:03:43ZBobSPayment fails on Drupal 9.2+ webforms for anonymous usersDrupal 9.2+ does not by default create a [session for anonymous users](https://www.drupal.org/node/3006306). This results in a CSRF failure when submitting webforms which include a payment section.
CiviCRM ensures that a session is crea...Drupal 9.2+ does not by default create a [session for anonymous users](https://www.drupal.org/node/3006306). This results in a CSRF failure when submitting webforms which include a payment section.
CiviCRM ensures that a session is created for all form requests that it handles, but this does not include webform requests.
When responding to Ajax requests to /drupal/civicrm/payment/form initiated from a Drupal Webform,
`Firewall::generateCSRFToken()` calls `\CRM_Core_Config::singleton()->userSystem->getSessionId()` which in turn initializes the `civicrm.tempstore.sessionid` $_SESSION array element. Normally, this would cause Drupal to save the session. However, the Ajax request is terminated by CiviCRM before the normal Drupal request flow is completed, and thus, the session is not saved and no session cookie is emitted.
One solution would be to modify CiviCRM core to save the session before terminating Ajax requests. But, since this failure is specific to the CSRF token generated by the Firewall extension, I think it is more appropriate to fix it there.
The following patch to Firewall::generateCSRFToken() (v1.5.9) resolves the problem. It was tested on Drupal 10.2.3 for both anonymous and logged-in users, and is believed to be compatible with earlier Drupal versions.
```
*** firewall/Civi/Firewall/Firewall_v1.5.9.php Mon Mar 25 09:18:23 2024
--- firewall/Civi/Firewall/Firewall.php Mon Mar 25 17:01:36 2024
***************
*** 277,282 ****
--- 277,294 ----
if (!empty($context)) {
\CRM_Core_Session::singleton()->set('csrf.' . $publicToken, $context, 'civi.firewall');
}
+
+ //Drupal 9.2+ does not by default create a session for anonymous users.
+ //While processing an Ajax request to /drupal/civicrm/payment/form initiated
+ //from a Drupal Webform, we therefore save the session to ensure that anonymous
+ //users receive a session cookie.
+ if (($_REQUEST["is_drupal_webform"] ?? '') == '1' &&
+ method_exists('\Drupal', 'request') &&
+ method_exists(\Drupal::request(), 'getSession') &&
+ method_exists(\Drupal::request()->getSession(), 'save')) {
+ \Drupal::request()->getSession()->save();
+ }
+
return $publicToken;
}
```
See duplicate issue https://lab.civicrm.org/extensions/stripe/-/issues/473.https://lab.civicrm.org/extensions/firewall/-/issues/33Composer: Type needs to be civicrm-ext2024-01-15T21:36:37ZkenorbComposer: Type needs to be civicrm-extIn `composer.json`, `type` should be `civicrm-ext`, not `civicrm-extension`.
See: <https://github.com/composer/installers#current-supported-package-types>.In `composer.json`, `type` should be `civicrm-ext`, not `civicrm-extension`.
See: <https://github.com/composer/installers#current-supported-package-types>.https://lab.civicrm.org/extensions/firewall/-/issues/32Compatibility with php8?2023-10-09T14:57:57ZGuillaumeSorelCompatibility with php8?We're trying to upgrade the php version on our server and the extension generates an error. It doesn't seem to come from the civix.php file.
Is the extension compatible with php 8.xx as I haven't found any mention here https://civicrm.or...We're trying to upgrade the php version on our server and the extension generates an error. It doesn't seem to come from the civix.php file.
Is the extension compatible with php 8.xx as I haven't found any mention here https://civicrm.org/blog/bgm/php-8-support-civicrm-extensions?https://lab.civicrm.org/extensions/firewall/-/issues/31Symfony Event class deprecated (Drupal 10 error fired)2023-04-12T12:53:15ZcalbasiSymfony Event class deprecated (Drupal 10 error fired)In a Drupal 10 CiviCRM instance I get this error using the Stripe extension:
Error: Class "Symfony\Component\EventDispatcher\Event" not found in include() (line 16 of .../firewall/Civi/Firewall/Event/FraudEvent.php).
The reason, here:
...In a Drupal 10 CiviCRM instance I get this error using the Stripe extension:
Error: Class "Symfony\Component\EventDispatcher\Event" not found in include() (line 16 of .../firewall/Civi/Firewall/Event/FraudEvent.php).
The reason, here:
https://www.drupal.org/node/3159012
I hotfixed it doing:
```
//class FraudEvent extends \Symfony\Component\EventDispatcher\Event {
class FraudEvent extends \Drupal\Component\EventDispatcher\Event {
```
but I think it's not a suitable solution to pach here, because the CMS agnosticy of CiviCRM.
Not sure if:
```
class FraudEvent extends \Symfony\Contracts\EventDispatcher\Event {
```
could be OK. I think it is OK for Symphony 4 and 5, but not sure.https://lab.civicrm.org/extensions/firewall/-/issues/30Error: Class 'Civi\Firewall\Services' not found in firewall_civicrm_container()2023-04-12T17:25:54ZAndrew WassonError: Class 'Civi\Firewall\Services' not found in firewall_civicrm_container()This error is logged when I enable or disable Firewall on a Drupal 7 CiviCRM 5.57 website.
The error is as follows:
> Error: Class 'Civi\Firewall\Services' not found in firewall_civicrm_container() (line 30 of /sites/default/files/civi...This error is logged when I enable or disable Firewall on a Drupal 7 CiviCRM 5.57 website.
The error is as follows:
> Error: Class 'Civi\Firewall\Services' not found in firewall_civicrm_container() (line 30 of /sites/default/files/civicrm/extensions/firewall/firewall.php).
I can't see anything in the code that is obvious. It might be that As of CiviCRM version 5.27 CiviCRM now uses Symfony v3.4 or v4.4and that there is an important change which is that in v3.3 Symfony services are now considered by default to be private?
The website in question is as follows:
- Firewall 1.5.8
- Drupal 7
- CiviCRM 5.57 website
- PHP version 7.4.33https://lab.civicrm.org/extensions/firewall/-/issues/29multiple captcha forms2023-04-12T11:00:13Zjonty17multiple captcha formsHi, I am having a problem with duplicate captcha forms appearing on contribution pages when I enable this in the firewall module. Those forms are not being submitted successfully.
Many thanks
JonHi, I am having a problem with duplicate captcha forms appearing on contribution pages when I enable this in the firewall module. Those forms are not being submitted successfully.
Many thanks
Jonhttps://lab.civicrm.org/extensions/firewall/-/issues/27cv ext:enable firewall is failing2023-04-12T10:58:54Zhescocv ext:enable firewall is failingHow would I resolve this, please?
```
[error_message] => API error: is not of type String on OptionValue.create( entity name crm-search-display-table)
```How would I resolve this, please?
```
[error_message] => API error: is not of type String on OptionValue.create( entity name crm-search-display-table)
```https://lab.civicrm.org/extensions/firewall/-/issues/26Proposal: integration with formprotection2022-12-09T14:58:03ZJKingsnorthProposal: integration with formprotectionThe formprotection extension blocks form submissions based on different methods (time limits, recaptcha, honeypot).
Proposal: Add a firewall event to be called from the formprotection module when an exception occurs. So we can automatic...The formprotection extension blocks form submissions based on different methods (time limits, recaptcha, honeypot).
Proposal: Add a firewall event to be called from the formprotection module when an exception occurs. So we can automatically block IPs after multiple failures.
See https://lab.civicrm.org/extensions/formprotection/-/issues/81.5https://lab.civicrm.org/extensions/firewall/-/issues/25Proposal: hook on block2022-12-09T14:57:48ZJKingsnorthProposal: hook on blockProposal is to add a hook when the firewall blocks a request.
This would allow other extensions to be notified on a block event, and do custom logic/logging/notifications.
---
An alternative we considered was to add the hook to should...Proposal is to add a hook when the firewall blocks a request.
This would allow other extensions to be notified on a block event, and do custom logic/logging/notifications.
---
An alternative we considered was to add the hook to shouldThisRequestBeBlocked, to allow the $block to also be altered. However, we decided against this because:
- It would be better to implement custom blocking rules using a more robust mechanism, eg: extending a base event class provided by the firewall extension (#22), rather than via hooks
- It would run on every page load, although the impact would probably be negligible1.5JKingsnorthJKingsnorthhttps://lab.civicrm.org/extensions/firewall/-/issues/24Unable to take any payments after update to 1.5.32022-11-15T13:55:47ZkcristianoUnable to take any payments after update to 1.5.3CiviCRM 5.51.3 (also 5.54.1)
WP 5.9.5 also (6.0.3)
Stripe 6.7.11
mjwshared 1.2.9
sweetalert 1.5
apache 2.4
php 7.4
mariadb 10.3 (also 1.5)
After update to 1.5.3 or 1.5.4 - all transactions fail.
Firewall table shows (IP...CiviCRM 5.51.3 (also 5.54.1)
WP 5.9.5 also (6.0.3)
Stripe 6.7.11
mjwshared 1.2.9
sweetalert 1.5
apache 2.4
php 7.4
mariadb 10.3 (also 1.5)
After update to 1.5.3 or 1.5.4 - all transactions fail.
Firewall table shows (IP removed, and limited data to recent on a small site)
select id,access_date,event_type,source from civicrm_firewall_ipaddress;
| id | access_date | event_type | source |
|----|---------------------|------------------|---------------|
| 3 | 2022-11-13 17:26:11 | InvalidCSRFEvent | expired token |
| 4 | 2022-11-13 17:26:47 | InvalidCSRFEvent | expired token |
| 5 | 2022-11-13 17:27:54 | InvalidCSRFEvent | expired token |
| 6 | 2022-11-14 07:58:13 | InvalidCSRFEvent | expired token |
| 7 | 2022-11-14 07:58:52 | InvalidCSRFEvent | expired token |
| 8 | 2022-11-14 17:21:01 | InvalidCSRFEvent | expired token |
| 9 | 2022-11-14 17:23:21 | InvalidCSRFEvent | expired token |
| 10 | 2022-11-14 17:25:40 | InvalidCSRFEvent | expired token |
| 11 | 2022-11-14 17:26:35 | InvalidCSRFEvent | expired token |
Just for a sample.
This was on all sites using Stripe.
The quick fix was to downgrade to V 1.5.2, flush cache and then review firewall settings
I found on all sites that had upgarded we'd now have the 'proxy' box checked:
![image](/uploads/bc929b174094d6af24c11ce83697f641/image.png)
After downgrade and unchecking the CSFR timeout appeared and we could take payments again
![image](/uploads/46fa81226a4fb6a686bc436220d9c5b1/image.png)
What is the best path forward?https://lab.civicrm.org/extensions/firewall/-/issues/22Configurable rates/limits2023-04-12T11:03:36ZcantrellnmConfigurable rates/limitsI know this is already in the list of future development/ideas, but I'd like to encourage a change to make the fraud/invalid CSRF event limits (currently 5) and 2 hour interval configurable. We had a card testing incident over the past c...I know this is already in the list of future development/ideas, but I'd like to encourage a change to make the fraud/invalid CSRF event limits (currently 5) and 2 hour interval configurable. We had a card testing incident over the past couple days (with Firewall enabled) that was brought to my attention after payments on our Stripe account were temporarily blocked.
Out of 729 events logged in the `civicrm_firewall_ipaddress` table there were 649 unique IP addresses, so we're not getting anywhere close to the 5 events that would block them in time to prevent trouble. I'd like to be able to block them sooner, after 1 or 2 events, and to make that period longer than 2 hours. (I'll be lowering the CSRF timeout from the default 12 hours, 141 of those events were invalid CSRF events.)
It would also be nice to be able to block payments of $1 from Civi without upgrading to Stipe's "Radar for Fraud Teams" to add a custom rule there, but I understand that's probably beyond the scope of this issue.https://lab.civicrm.org/extensions/firewall/-/issues/21How do I know it's working?2023-04-12T11:01:27ZrobbrandtHow do I know it's working?I installed this on a site experiencing heavy fraud use with Stripe. It comes in waves. Lately there's been minimal activity. But it's only been a week.
Is there a way to see what IP addresses have been blocked? Do they show up in th...I installed this on a site experiencing heavy fraud use with Stripe. It comes in waves. Lately there's been minimal activity. But it's only been a week.
Is there a way to see what IP addresses have been blocked? Do they show up in the configuration page or are they stored elsewhere?https://lab.civicrm.org/extensions/firewall/-/issues/20Blocking Stripe payments in certain circumstances2023-04-12T11:01:59Zdarren.woodsBlocking Stripe payments in certain circumstancesI've seen the old issues here: https://lab.civicrm.org/extensions/firewall/-/issues/3 and: https://lab.civicrm.org/extensions/stripe/-/issues/179
Unfortunately this has been reoccuring with v1.5.1 of Firewall and Stripe 6.7.1 Civi 5.45....I've seen the old issues here: https://lab.civicrm.org/extensions/firewall/-/issues/3 and: https://lab.civicrm.org/extensions/stripe/-/issues/179
Unfortunately this has been reoccuring with v1.5.1 of Firewall and Stripe 6.7.1 Civi 5.45.5
We've had to disable the extension for the users affected to be able to submit payments.
Screenshot of frontend error below (400 in console same as issues above).
![image__4_](/uploads/f21d5f83bf3608fb451de652d7dd56f2/image__4_.png)https://lab.civicrm.org/extensions/firewall/-/issues/19What does it do?2023-04-12T11:02:38ZStefanWhat does it do?Hey there,
I installed the firewall and it seems to work => doesn't make any trouble.
However, I wonder what it actually does.
I use wordpress and have security plugins installed. So, my wordpress backend and therefore civi should be ...Hey there,
I installed the firewall and it seems to work => doesn't make any trouble.
However, I wonder what it actually does.
I use wordpress and have security plugins installed. So, my wordpress backend and therefore civi should be fine, at least I thought that way.
Is this firewall then about API4 or civi event forms e.x.?
Another line in the description would be nice, at least for me^^https://lab.civicrm.org/extensions/firewall/-/issues/18getIPAddress Error when Bootstrapping Civi in CLI script2021-12-17T12:36:09ZpbarmakgetIPAddress Error when Bootstrapping Civi in CLI scriptWe recently started getting the following error when we try to bootstrap Civi via a command line script. I believe this just started happening, once we upgraded Firewall to v1.3. We bootstrap using "$civi_config = civi_bootstrap();" and ...We recently started getting the following error when we try to bootstrap Civi via a command line script. I believe this just started happening, once we upgraded Firewall to v1.3. We bootstrap using "$civi_config = civi_bootstrap();" and this is the error we get:
```
PHP Fatal error: Uncaught TypeError: Return value of Civi\Firewall\Firewall::getIPAddress() must be of the type string, null returned in /var/www/crm/sites/default/files/civicrm/ext/firewall/Civi/Firewall/Firewall.php:263
Stack trace:
#0 /var/www/crm/sites/default/files/civicrm/ext/firewall/Civi/Firewall/Firewall.php(100): Civi\Firewall\Firewall->getIPAddress()
#1 /var/www/crm/sites/default/files/civicrm/ext/firewall/Civi/Firewall/Firewall.php(83): Civi\Firewall\Firewall->shouldThisRequestBeBlocked()
#2 /var/www/crm/sites/default/files/civicrm/ext/firewall/firewall.php(16): Civi\Firewall\Firewall->run()
#3 /var/www/crm/sites/all/modules/civicrm/CRM/Utils/Hook.php(271): firewall_civicrm_config()
#4 /var/www/crm/sites/all/modules/civicrm/CRM/Utils/Hook/DrupalBase.php(73): CRM_Utils_Hook->runHooks()
#5 /var/www/crm/sites/all/modules/civicrm/Civi/Core/CiviEventDispatcher.php(237): CRM_ in /var/www/crm/sites/default/files/civicrm/ext/firewall/Civi/Firewall/Firewall.php on line 263
```https://lab.civicrm.org/extensions/firewall/-/issues/17Incompatible with Symfony 4+?2021-11-15T15:31:20ZJonGoldIncompatible with Symfony 4+?A site today showed this error on credit card submission below the Stripe widget:
```
The "firewall_invalidcsrf_request` service or alias has been removed or inlined when the container was compiled. You should either make it public, or ...A site today showed this error on credit card submission below the Stripe widget:
```
The "firewall_invalidcsrf_request` service or alias has been removed or inlined when the container was compiled. You should either make it public, or stop using the container directly and use dependency injection instead.
```
This site was recently updated to D9, and I had a similar issue recently with an older version of the multisite extension., and is the same bug that's addressed in core with https://lab.civicrm.org/dev/core/-/issues/2037.
However, this is only happening on one of my D9 sites despite them using identical versions of Symfony.1.3https://lab.civicrm.org/extensions/firewall/-/issues/16Error: Class 'Civi\\Firewall\\Firewall' not found in2021-10-13T13:19:26ZhescoError: Class 'Civi\\Firewall\\Firewall' not found inMy build manifest calls for the installation of:
firewall@https://lab.civicrm.org/extensions/firewall/-/archive/1.1.2/firewall-1.1.2.zip
I just ran a build which resulted in success on my C-I server, but when browsing to the site I see...My build manifest calls for the installation of:
firewall@https://lab.civicrm.org/extensions/firewall/-/archive/1.1.2/firewall-1.1.2.zip
I just ran a build which resulted in success on my C-I server, but when browsing to the site I see:
```
The website encountered an unexpected error. Please try again later.
```
and in my apache2 error log I see a single entry with the following message
(which I have reformatted here for ease of reading,
and scrubbed of path name elements which identify my client).
```
[Fri Jun 11 19:57:18.360112 2021] [proxy_fcgi:error] [pid 1511:tid 140023760406272] [client 172.17.0.8:48342]
AH01071: Got error 'PHP message: PHP Deprecated: Array and string offset access syntax with curly braces is deprecated in /opt/local/${project_code}/files/civicrm/ext/sweetalert/sweetalert.civix.php on line 246
PHP message: Error: Class 'Civi\\Firewall\\Firewall' not found in
/opt/local/${project_code}/files/civicrm/ext/firewall/firewall.php on line 12
#0 /opt/local/${project_code}/drupal/vendor/civicrm/civicrm-core/CRM/Utils/Hook.php(271): firewall_civicrm_config()\n
#1 /opt/local/${project_code}/drupal/vendor/civicrm/civicrm-core/CRM/Utils/Hook/DrupalBase.php(73): CRM_Utils_Hook->runHooks()\n
#2 /opt/local/${project_code}/drupal/vendor/civicrm/civicrm-core/Civi/Core/CiviEventDispatcher.php(168): CRM_Utils_Hook_DrupalBase->invokeViaUF()\n
#3 /opt/local/${project_code}/drupal/vendor/symfony/event-dispatcher/EventDispatcher.php(214): Civi\\Core\\CiviEventDispatcher::delegateToUF()\n
#4 /opt/local/${project_code}/drupal/vendor/symfony/event-dispatcher/EventDispatcher.php(44): Symfony\\Component\\EventDispatcher\\EventDispatcher->doDispatch()\n
#5 /opt/local/${project_code}/drupal/vendor/civicrm/civicrm-core/Civi/Core/CiviEventDispatcher.php(129): Symfony\\Component\\EventDispatcher\\EventDispatcher->dispatch()\n
#6 /opt/local/${project_code}/drupal/vendor/civicrm/civicrm-core/CRM/Utils/Hook...'
```
A lint check at the command line reports:
```
root@efc9c26-00938:~# php -l /opt/local/${project_code}/files/civicrm/ext/firewall/firewall.php
No syntax errors detected in /opt/local/${project_code}/files/civicrm/ext/firewall/firewall.php
root@efc9c26-00938:~# php --version
PHP 7.4.20 (cli) (built: Jun 4 2021 21:24:37) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
with Zend OPcache v7.4.20, Copyright (c), by Zend Technologies
```https://lab.civicrm.org/extensions/firewall/-/issues/15Firewall breaks `drush cache:rebuild` on Drupal 82020-11-29T21:35:01ZJonGoldFirewall breaks `drush cache:rebuild` on Drupal 8Running `drush cache:rebuild` with firewall enabled returns:
```
In DAO.php line 1683:
is not of type String
```
The issue is the call to CRM_Utils_System::ipAddress(), which isn'...Running `drush cache:rebuild` with firewall enabled returns:
```
In DAO.php line 1683:
is not of type String
```
The issue is the call to CRM_Utils_System::ipAddress(), which isn't populated when running from the CLI. Since most CLI commands don't run firewall code it's fine, but a cache clear does.
I'll send an MR that fixes this.JonGoldJonGoldhttps://lab.civicrm.org/extensions/firewall/-/issues/14Firewall 1.1.1 causes custom fields to disappear from contribution pages.2021-05-23T10:46:54ZtapashFirewall 1.1.1 causes custom fields to disappear from contribution pages.Firewall 1.1.1 causes custom fields to disappear from contribution pages.Firewall 1.1.1 causes custom fields to disappear from contribution pages.https://lab.civicrm.org/extensions/firewall/-/issues/13Incompatibility with civiCRM 5.31.0?2020-11-13T16:16:42ZlarnoultIncompatibility with civiCRM 5.31.0?Hello,
I just upgraded to 5.31.0 (on WordPress 5.5.3).
After DB update, it created such fatal error:
`Fatal error: Uncaught Error: Class 'Civi\Firewall\Firewall' not found in /home/parlemon/www/wp-content/uploads/civicrm/ext/firewall/fir...Hello,
I just upgraded to 5.31.0 (on WordPress 5.5.3).
After DB update, it created such fatal error:
`Fatal error: Uncaught Error: Class 'Civi\Firewall\Firewall' not found in /home/parlemon/www/wp-content/uploads/civicrm/ext/firewall/firewall.php:12 Stack trace: #0 /home/parlemon/www/wp-content/plugins/civicrm/civicrm/CRM/Utils/Hook.php(271): firewall_civicrm_config(Object(CRM_Core_Config)) #1 /home/parlemon/www/wp-content/plugins/civicrm/civicrm/CRM/Utils/Hook/WordPress.php(136): CRM_Utils_Hook->runHooks(Array, 'civicrm_config', 1, Object(CRM_Core_Config), NULL, NULL, NULL, NULL, NULL) #2 /home/parlemon/www/wp-content/plugins/civicrm/civicrm/Civi/Core/CiviEventDispatcher.php(168): CRM_Utils_Hook_WordPress->invokeViaUF(1, Object(CRM_Core_Config), NULL, NULL, NULL, NULL, NULL, 'civicrm_config') #3 /home/parlemon/www/wp-content/plugins/civicrm/civicrm/vendor/symfony/event-dispatcher/EventDispatcher.php(214): Civi\Core\CiviEventDispatcher::delegateToUF(Object(Civi\Core\Event\GenericHookEvent), 'hook_civicrm_co...', Object(Civi\Core\CiviEventDispatcher)) #4 /home/parlemon/www/wp-content/plugins/civicrm/civicrm/vendor/symfony/ in /home/parlemon/www/wp-content/uploads/civicrm/ext/firewall/firewall.php on line 12
`
I had to inactivate firewall extension to rescue my site.
I had the same type of error with the AWS extension:https://github.com/mecachisenros/aws/issues/9
Cheers,