Security changes coming in Sugar 7.8

Important security changes in Sugar 7.8

As we near the release of Sugar 7.8, we wanted to update the Sugar Developer community on a couple of important security changes that are coming in this release.

The oauth_token URL parameter is disabled by default

A convenience feature that allowed an OAuth 2.0 access token to be passed via the oauth_token URL parameter instead of using the OAuth-Token HTTP header is no longer supported in Sugar 7.8. The examples in the Sugar Developer Guide always used the OAuth-Token HTTP header - but a few people had discovered they could pass the oauth_token as a URL parameter on their own.

If you have been using it, you should know that this feature has been disabled by default due to security concerns. The practice of passing and accepting session identifiers via URL parameters is against OWASP guidelines.

For reference: Session Management Cheat Sheet - OWASPThis example is no longer allowed by default

GET /sugar/rest/v10/Contacts?oauth_token={GUID} HTTP/1.1Host: localhost:8080Content-Type: application/jsonCache-Control: no-cache

This example continues to work and is preferred

GET /sugar/rest/v10/Contacts HTTP/1.1Host: localhost:8080Content-Type: application/jsonOAuth-Token: {GUID}Cache-Control: no-cache

If you want to enable this feature again, then you can use a new SugarConfig setting called allow_oauth_via_get. When the config setting is true, this will permit the oauth_token URL parameter to be used to pass access tokens.

$sugar_config['allow_oauth_via_get'] = true;

CSRF Tokens are now enforced by default

In a previous post on CSRF tokens in Sugar 7.7, we indicated that CSRF authentication would be enabled by default in future Sugar versions.

Well in Sugar 7.8, the $sugar_config['csrf']['soft_fail_form'] setting will default to false and the $sugar_config['csrf']['opt_in'] setting has been removed. This means that CSRF tokens are now enabled by default as of Sugar 7.8

For more details on Sugar’s CSRF implementation, please review the original post on this blog.

HTML forms used in BWC modules need to be authenticated in order to continue to function. If necessary, Sugar Developers can temporarily set the following configuration variable to disable enforcement of CSRF tokens.

$sugar_config['csrf']['soft_fail_form'] = true;

The above setting will generate FATAL messages in the sugarcrm.log file whenever a CSRF authentication failure occurs.

Sugar Developers and Administrators should resist the temptation to use soft fail mode in production instances.