You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2018/06/02 10:09:00 UTC
[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF
[ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16498968#comment-16498968 ]
Jacques Le Roux commented on OFBIZ-10427:
-----------------------------------------
I have recently worked again on this topic, trying to set the Tomcat CSRF filter. I did not succeed yet and here are some causes.
As said in the documentation
{quote}This filter provides basic CSRF protection for a web application. The filter assumes that it is mapped to /* and that all URLs returned to the client are encoded via a call to HttpServletResponse#encodeRedirectURL(String) or HttpServletResponse#encodeURL(String).
{quote}
So I initially used the simplest web.xml configuration in webtools only, w/o <init-param> putting <filter> and <filter-mapping> at last position.
{code:java}
<filter>
<display-name>CSRFPreventionFilter</display-name>
<filter-name>CSRFPreventionFilter</filter-name>
<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
{code}
And I checked we are encoding as requested. It' s not the case so I did these changes to only test:
{code:java}
Index: ControlFilter.java
===================================================================
--- ControlFilter.java (revision 1832691)
+++ ControlFilter.java (working copy)
@@ -111,10 +111,11 @@
if (httpRequest.getSession().getAttribute("_FORCE_REDIRECT_") == null) {
httpRequest.getSession().setAttribute("_FORCE_REDIRECT_", "true");
Debug.logWarning("Redirecting user to: " + redirectPath, module);
+
if (redirectPathIsUrl) {
- httpResponse.sendRedirect(redirectPath);
+ httpResponse.sendRedirect(((HttpServletResponse) response).encodeRedirectURL(redirectPath));
} else {
- httpResponse.sendRedirect(httpRequest.getContextPath() + redirectPath);
+ httpResponse.sendRedirect(((HttpServletResponse) response).encodeRedirectURL(httpRequest.getContextPath() + redirectPath));
}
return;
} else {
@@ -143,9 +144,9 @@
httpResponse.sendError(errorCode, httpRequest.getRequestURI());
} else {
if (redirectPathIsUrl) {
- httpResponse.sendRedirect(redirectPath);
+ httpResponse.sendRedirect(((HttpServletResponse) response).encodeRedirectURL(redirectPath));
} else {
- httpResponse.sendRedirect(httpRequest.getContextPath() + redirectPath);
+ httpResponse.sendRedirect(((HttpServletResponse) response).encodeRedirectURL(httpRequest.getContextPath() + redirectPath));
}
}
if (Debug.infoOn()) {
Index: RequestHandler.java
===================================================================
--- RequestHandler.java (revision 1832691)
+++ RequestHandler.java (working copy)
@@ -1180,7 +1180,7 @@
newURL.append(url);
String encodedUrl;
- if (encode) {
+ if (true) {
encodedUrl = response.encodeURL(newURL.toString());
} else {
encodedUrl = newURL.toString();
{code}
with no avail. I always got a 403:
{code:java}
HTTP Status 403 | Forbidden
Type Status Report
Description The server understood the request but refuses to authorize it.
Apache Tomcat/9.0.7
{code}
So I tried to put the filter at the top, same issue. Then I began to add entryPoints in <init-param>, knowing that they don't support wildcards (so in a way it's quite limited). The last set I tried was
{code:java}
<param-name>entryPoints</param-name>
<param-value>/catalog/control/main,/webtools/control/main,/webtools/control/login</param-value>
{code}
I put _/catalog/control/main_ because I initially tried to come from there. I then tried manually _/webtools/control/login_ and _/webtools/control/main_ same issue.
Desesperately I then set a huge nonceCacheSize (every call create a nonce, for instance js, css, img, etc.) and if one of them it's OK then it's OK (not totally sure of that, but anyway with a large cache more is allowed)
{code:java}
<param-name>nonceCacheSize</param-name>
<param-value>100</param-value>
{code}
Still no success.
I stopped there for now but I'll continue to try if a way is possible. I think the best would be to adapt the CsrfPreventionFilter class to our need. I did not look at the source in detail yet, let's see...
> Add a mean to handle CSRF
> -------------------------
>
> Key: OFBIZ-10427
> URL: https://issues.apache.org/jira/browse/OFBIZ-10427
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Minor
>
> I already worked on that in OFBiz but without success so far: https://markmail.org/message/r245yie623cdo3wz)
> The tracks I explored are:
> * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really not simple in OFBiz)
> * https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction (I think preferred)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)