You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2017/02/02 10:33:59 UTC
svn commit: r1781366 [1/3] - in /ofbiz/trunk:
applications/content/widget/compdoc/ applications/content/widget/content/
applications/product/template/ applications/product/template/store/
applications/product/webapp/catalog/WEB-INF/ framework/base/src/...
Author: jleroux
Date: Thu Feb 2 10:33:59 2017
New Revision: 1781366
URL: http://svn.apache.org/viewvc?rev=1781366&view=rev
Log:
Implemented:
Improved:
Documented:
Completed:
Reverted:
Fixed:
(OFBIZ-)
Explanation
Thanks:
Added:
ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js (with props)
ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties (with props)
ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/controller - Copie.xml (with props)
ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/web - Copie.xml (with props)
ofbiz/trunk/framework/webapp/config/requestHandler - Copie.properties (with props)
ofbiz/trunk/themes/tomahawk/template/Header - Copie.ftl (with props)
Modified:
ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml
ofbiz/trunk/applications/content/widget/content/ContentForms.xml
ofbiz/trunk/applications/product/template/Main.ftl
ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl
ofbiz/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
ofbiz/trunk/framework/minilang/src/main/java/org/apache/ofbiz/minilang/method/entityops/EntityOne.java
ofbiz/trunk/framework/widget/dtd/widget-common.xsd
ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
Modified: ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml?rev=1781366&r1=1781365&r2=1781366&view=diff
==============================================================================
--- ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml (original)
+++ ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml Thu Feb 2 10:33:59 2017
@@ -22,7 +22,7 @@ under the License.
<tree name="CompDocTemplateTree" entity-name="Content" root-node-name="node-root"
default-render-style="simple" default-wrap-style="treeWrapper">
<node name="node-root" wrap-style="treeWrapper">
- <entity-one entity-name="Content" use-cache="false">
+ <entity-one entity-name="Content" value-field="content" use-cache="false">
<field-map field-name="contentId" from-field="rootContentId"/>
</entity-one>
<include-screen name="rootTemplateLine" location="component://content/widget/compdoc/CompDocScreens.xml"/>
@@ -54,7 +54,7 @@ under the License.
</sub-node>
</node>
<node name="node-body" join-field-name="itemContentId" entity-name="AssocRevisionItemView" wrap-style="treeWrapper">
- <entity-one entity-name="Content" use-cache="false">
+ <entity-one entity-name="Content" value-field="content" use-cache="false">
<field-map field-name="contentId" from-field="itemContentId"/>
</entity-one>
<include-screen name="childTemplateLine" location="component://content/widget/compdoc/CompDocScreens.xml"/>
@@ -90,7 +90,7 @@ under the License.
<tree name="CompDocInstanceTree" entity-name="Content" root-node-name="node-root"
default-render-style="simple" default-wrap-style="treeWrapper">
<node name="node-root">
- <entity-one entity-name="Content" use-cache="false">
+ <entity-one entity-name="Content" value-field="content" use-cache="false">
<field-map field-name="contentId" from-field="instanceContent.instanceOfContentId"/>
</entity-one>
<include-screen name="rootInstanceLine" location="component://content/widget/compdoc/CompDocScreens.xml"/>
@@ -122,7 +122,7 @@ under the License.
</sub-node>
</node>
<node name="node-body" join-field-name="itemContentId" entity-name="AssocRevisionItemView">
- <entity-one entity-name="Content" use-cache="false">
+ <entity-one entity-name="Content" value-field="content" use-cache="false">
<field-map field-name="contentId" from-field="itemContentId"/>
</entity-one>
<include-screen name="childInstanceLine" location="component://content/widget/compdoc/CompDocScreens.xml"/>
Modified: ofbiz/trunk/applications/content/widget/content/ContentForms.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/widget/content/ContentForms.xml?rev=1781366&r1=1781365&r2=1781366&view=diff
==============================================================================
--- ofbiz/trunk/applications/content/widget/content/ContentForms.xml (original)
+++ ofbiz/trunk/applications/content/widget/content/ContentForms.xml Thu Feb 2 10:33:59 2017
@@ -230,9 +230,9 @@ under the License.
</form>
<!-- ContentAssoc forms -->
<form name="EditContentAssoc" target="updateContentAssoc" title="" type="single"
- header-row-style="header-row" default-table-style="basic-table">
+ header-row-style="header-row" default-table-style="basic-table" default-entity-name="contentAssocX">
<actions>
- <entity-one entity-name="ContentAssoc" use-cache="true">
+ <entity-one entity-name="ContentAssoc" use-cache="true" value-field="contentAssoc">
<field-map field-name="contentId" from-field="contentId"/>
<field-map field-name="contentIdTo" from-field="contentIdTo"/>
<field-map field-name="contentAssocTypeId" from-field="contentAssocTypeId"/>
Modified: ofbiz/trunk/applications/product/template/Main.ftl
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/template/Main.ftl?rev=1781366&r1=1781365&r2=1781366&view=diff
==============================================================================
--- ofbiz/trunk/applications/product/template/Main.ftl (original)
+++ ofbiz/trunk/applications/product/template/Main.ftl Thu Feb 2 10:33:59 2017
@@ -29,6 +29,8 @@ under the License.
</form>
<div class="label">${uiLabelMap.CommonOr}: <a href="<@o...@ofbizUrl>" class="buttontext">${uiLabelMap.ProductCreateNewCatalog}</a></div>
<br />
+<p>Output format: ${.output_format}
+<p>Auto-escaping: ${.auto_esc?c}
<div class="label">${uiLabelMap.ProductEditCategoryWithCategoryId}:</div>
<form method="post" action="<@o...@ofbizUrl>" style="margin: 0;" name="EditCategoryForm">
<@htmlTemplate.lookupField name="productCategoryId" id="productCategoryId" formName="EditCategoryForm" fieldFormName="LookupProductCategory"/>
Modified: ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl?rev=1781366&r1=1781365&r2=1781366&view=diff
==============================================================================
--- ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl (original)
+++ ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl Thu Feb 2 10:33:59 2017
@@ -37,12 +37,7 @@ under the License.
<td>${webSite.httpHost?default(' ')}</td>
<td>${webSite.httpPort?default(' ')}</td>
<td align="center">
- <a href="javascript:document.storeUpdateWebSite_${webSite_index}.submit();" class="buttontext">${uiLabelMap.CommonDelete}</a>
- <form name="storeUpdateWebSite_${webSite_index}" method="post" action="<@o...@ofbizUrl>">
- <input type="hidden" name="viewProductStoreId" value="${productStoreId}"/>
- <input type="hidden" name="productStoreId" value=""/>
- <input type="hidden" name="webSiteId" value="${webSite.webSiteId}"/>
- </form>
+ <a href="<@o...@ofbizUrl>" class="buttontext">${uiLabelMap.CommonDelete}</a>
</td>
</tr>
<#-- toggle the row color -->
Added: ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js?rev=1781366&view=auto
==============================================================================
--- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js (added)
+++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js Thu Feb 2 10:33:59 2017
@@ -0,0 +1,447 @@
+/**
+ * The OWASP CSRFGuard Project, BSD License
+ * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of OWASP nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+(function() {
+ /**
+ * Code to ensure our event always gets triggered when the DOM is updated.
+ * @param obj
+ * @param type
+ * @param fn
+ * @source http://www.dustindiaz.com/rock-solid-addevent/
+ */
+ function addEvent( obj, type, fn ) {
+ if (obj.addEventListener) {
+ obj.addEventListener( type, fn, false );
+ EventCache.add(obj, type, fn);
+ }
+ else if (obj.attachEvent) {
+ obj["e"+type+fn] = fn;
+ obj[type+fn] = function() { obj["e"+type+fn]( window.event ); }
+ obj.attachEvent( "on"+type, obj[type+fn] );
+ EventCache.add(obj, type, fn);
+ }
+ else {
+ obj["on"+type] = obj["e"+type+fn];
+ }
+ }
+
+ var EventCache = function(){
+ var listEvents = [];
+ return {
+ listEvents : listEvents,
+ add : function(node, sEventName, fHandler){
+ listEvents.push(arguments);
+ },
+ flush : function(){
+ var i, item;
+ for(i = listEvents.length - 1; i >= 0; i = i - 1){
+ item = listEvents[i];
+ if(item[0].removeEventListener){
+ item[0].removeEventListener(item[1], item[2], item[3]);
+ };
+ if(item[1].substring(0, 2) != "on"){
+ item[1] = "on" + item[1];
+ };
+ if(item[0].detachEvent){
+ item[0].detachEvent(item[1], item[2]);
+ };
+ };
+ }
+ };
+ }();
+
+ /** string utility functions **/
+ String.prototype.startsWith = function(prefix) {
+ return this.indexOf(prefix) === 0;
+ };
+
+ String.prototype.endsWith = function(suffix) {
+ return this.match(suffix+"$") == suffix;
+ };
+
+ /** hook using standards based prototype **/
+ function hijackStandard() {
+ XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;
+ XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {
+ this.url = url;
+
+ this._open.apply(this, arguments);
+ };
+
+ XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;
+ XMLHttpRequest.prototype.send = function(data) {
+ if(this.onsend != null) {
+ this.onsend.apply(this, arguments);
+ }
+
+ this._send.apply(this, arguments);
+ };
+ }
+
+ /** ie does not properly support prototype - wrap completely **/
+ function hijackExplorer() {
+ var _XMLHttpRequest = window.XMLHttpRequest;
+
+ function alloc_XMLHttpRequest() {
+ this.base = _XMLHttpRequest ? new _XMLHttpRequest : new window.ActiveXObject("Microsoft.XMLHTTP");
+ }
+
+ function init_XMLHttpRequest() {
+ return new alloc_XMLHttpRequest;
+ }
+
+ init_XMLHttpRequest.prototype = alloc_XMLHttpRequest.prototype;
+
+ /** constants **/
+ init_XMLHttpRequest.UNSENT = 0;
+ init_XMLHttpRequest.OPENED = 1;
+ init_XMLHttpRequest.HEADERS_RECEIVED = 2;
+ init_XMLHttpRequest.LOADING = 3;
+ init_XMLHttpRequest.DONE = 4;
+
+ /** properties **/
+ init_XMLHttpRequest.prototype.status = 0;
+ init_XMLHttpRequest.prototype.statusText = "";
+ init_XMLHttpRequest.prototype.readyState = init_XMLHttpRequest.UNSENT;
+ init_XMLHttpRequest.prototype.responseText = "";
+ init_XMLHttpRequest.prototype.responseXML = null;
+ init_XMLHttpRequest.prototype.onsend = null;
+
+ init_XMLHttpRequest.url = null;
+ init_XMLHttpRequest.onreadystatechange = null;
+
+ /** methods **/
+ init_XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {
+ var self = this;
+ this.url = url;
+
+ this.base.onreadystatechange = function() {
+ try { self.status = self.base.status; } catch (e) { }
+ try { self.statusText = self.base.statusText; } catch (e) { }
+ try { self.readyState = self.base.readyState; } catch (e) { }
+ try { self.responseText = self.base.responseText; } catch(e) { }
+ try { self.responseXML = self.base.responseXML; } catch(e) { }
+
+ if(self.onreadystatechange != null) {
+ self.onreadystatechange.apply(this, arguments);
+ }
+ }
+
+ this.base.open(method, url, async, user, pass);
+ };
+
+ init_XMLHttpRequest.prototype.send = function(data) {
+ if(this.onsend != null) {
+ this.onsend.apply(this, arguments);
+ }
+
+ this.base.send(data);
+ };
+
+ init_XMLHttpRequest.prototype.abort = function() {
+ this.base.abort();
+ };
+
+ init_XMLHttpRequest.prototype.getAllResponseHeaders = function() {
+ return this.base.getAllResponseHeaders();
+ };
+
+ init_XMLHttpRequest.prototype.getResponseHeader = function(name) {
+ return this.base.getResponseHeader(name);
+ };
+
+ init_XMLHttpRequest.prototype.setRequestHeader = function(name, value) {
+ return this.base.setRequestHeader(name, value);
+ };
+
+ /** hook **/
+ window.XMLHttpRequest = init_XMLHttpRequest;
+ }
+
+ /** check if valid domain based on domainStrict **/
+ function isValidDomain(current, target) {
+ var result = false;
+
+ /** check exact or subdomain match **/
+ if(current == target) {
+ result = true;
+ } else if(%DOMAIN_STRICT% == false) {
+ if(target.charAt(0) == '.') {
+ result = current.endsWith(target);
+ } else {
+ result = current.endsWith('.' + target);
+ }
+ }
+
+ return result;
+ }
+
+ /** determine if uri/url points to valid domain **/
+ function isValidUrl(src) {
+ var result = false;
+
+ /** parse out domain to make sure it points to our own **/
+ if(src.substring(0, 7) == "http://" || src.substring(0, 8) == "https://") {
+ var token = "://";
+ var index = src.indexOf(token);
+ var part = src.substring(index + token.length);
+ var domain = "";
+
+ /** parse up to end, first slash, or anchor **/
+ for(var i=0; i<part.length; i++) {
+ var character = part.charAt(i);
+
+ if(character == '/' || character == ':' || character == '#') {
+ break;
+ } else {
+ domain += character;
+ }
+ }
+
+ result = isValidDomain(document.domain, domain);
+ /** explicitly skip anchors **/
+ } else if(src.charAt(0) == '#') {
+ result = false;
+ /** ensure it is a local resource without a protocol **/
+ } else if(!src.startsWith("//") && (src.charAt(0) == '/' || src.indexOf(':') == -1)) {
+ result = true;
+ }
+
+ return result;
+ }
+
+ /** parse uri from url **/
+ function parseUri(url) {
+ var uri = "";
+ var token = "://";
+ var index = url.indexOf(token);
+ var part = "";
+
+ /**
+ * ensure to skip protocol and prepend context path for non-qualified
+ * resources (ex: "protect.html" vs
+ * "/Owasp.CsrfGuard.Test/protect.html").
+ */
+ if(index > 0) {
+ part = url.substring(index + token.length);
+ } else if(url.charAt(0) != '/') {
+ part = "%CONTEXT_PATH%/" + url;
+ } else {
+ part = url;
+ }
+
+ /** parse up to end or query string **/
+ var uriContext = (index == -1);
+
+ for(var i=0; i<part.length; i++) {
+ var character = part.charAt(i);
+
+ if(character == '/') {
+ uriContext = true;
+ } else if(uriContext == true && (character == '?' || character == '#')) {
+ uriContext = false;
+ break;
+ }
+
+ if(uriContext == true) {
+ uri += character;
+ }
+ }
+
+ return uri;
+ }
+
+ /** inject tokens as hidden fields into forms **/
+ function injectTokenForm(form, tokenName, tokenValue, pageTokens,injectGetForms) {
+
+ if (!injectGetForms) {
+ var method = form.getAttribute("method");
+
+ if ((typeof method != 'undefined') && method != null && method.toLowerCase() == "get") {
+ return;
+ }
+ }
+
+ var value = tokenValue;
+ var action = form.getAttribute("action");
+
+ if(action != null && isValidUrl(action)) {
+ var uri = parseUri(action);
+ value = pageTokens[uri] != null ? pageTokens[uri] : tokenValue;
+ }
+
+ var hidden = document.createElement("input");
+
+ hidden.setAttribute("type", "hidden");
+ hidden.setAttribute("name", tokenName);
+ hidden.setAttribute("value", value);
+
+ form.appendChild(hidden);
+ }
+
+ /** inject tokens as query string parameters into url **/
+ function injectTokenAttribute(element, attr, tokenName, tokenValue, pageTokens) {
+ var location = element.getAttribute(attr);
+
+ if(location != null && isValidUrl(location)) {
+ var uri = parseUri(location);
+ var value = (pageTokens[uri] != null ? pageTokens[uri] : tokenValue);
+
+ if(location.indexOf('?') != -1) {
+ location = location + '&' + tokenName + '=' + value;
+ } else {
+ location = location + '?' + tokenName + '=' + value;
+ }
+
+ try {
+ element.setAttribute(attr, location);
+ } catch (e) {
+ // attempted to set/update unsupported attribute
+ }
+ }
+ }
+
+ /** inject csrf prevention tokens throughout dom **/
+ function injectTokens(tokenName, tokenValue) {
+ /** obtain reference to page tokens if enabled **/
+ var pageTokens = {};
+
+ if(%TOKENS_PER_PAGE% == true) {
+ pageTokens = requestPageTokens();
+ }
+
+ /** iterate over all elements and injection token **/
+ var all = document.all ? document.all : document.getElementsByTagName('*');
+ var len = all.length;
+
+ //these are read from the csrf guard config file(s)
+ var injectForms = %INJECT_FORMS%;
+ var injectGetForms = %INJECT_GET_FORMS%;
+ var injectFormAttributes = %INJECT_FORM_ATTRIBUTES%;
+ var injectAttributes = %INJECT_ATTRIBUTES%;
+
+ for(var i=0; i<len; i++) {
+ var element = all[i];
+
+ /** inject into form **/
+ if(element.tagName.toLowerCase() == "form") {
+ if(injectForms) {
+ injectTokenForm(element, tokenName, tokenValue, pageTokens,injectGetForms);
+ }
+ if (injectFormAttributes) {
+ injectTokenAttribute(element, "action", tokenName, tokenValue, pageTokens);
+ }
+ /** inject into attribute **/
+ } else if(injectAttributes) {
+ injectTokenAttribute(element, "src", tokenName, tokenValue, pageTokens);
+ injectTokenAttribute(element, "href", tokenName, tokenValue, pageTokens);
+ }
+ }
+ }
+
+ /** obtain array of page specific tokens **/
+ function requestPageTokens() {
+ var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new window.ActiveXObject("Microsoft.XMLHTTP");
+ var pageTokens = {};
+
+ xhr.open("POST", "%SERVLET_PATH%", false);
+ xhr.send(null);
+
+ var text = xhr.responseText;
+ var name = "";
+ var value = "";
+ var nameContext = true;
+
+ for(var i=0; i<text.length; i++) {
+ var character = text.charAt(i);
+
+ if(character == ':') {
+ nameContext = false;
+ } else if(character != ',') {
+ if(nameContext == true) {
+ name += character;
+ } else {
+ value += character;
+ }
+ }
+
+ if(character == ',' || (i + 1) >= text.length) {
+ pageTokens[name] = value;
+ name = "";
+ value = "";
+ nameContext = true;
+ }
+ }
+
+ return pageTokens;
+ }
+
+ /**
+ * Only inject the tokens if the JavaScript was referenced from HTML that
+ * was served by us. Otherwise, the code was referenced from malicious HTML
+ * which may be trying to steal tokens using JavaScript hijacking techniques.
+ * The token is now removed and fetched using another POST request to solve,
+ * the token hijacking problem.
+ */
+ if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {
+ /** optionally include Ajax support **/
+ if(%INJECT_XHR% == true) {
+ if(navigator.appName == "Microsoft Internet Explorer") {
+ hijackExplorer();
+ } else {
+ hijackStandard();
+ }
+
+ var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new window.ActiveXObject("Microsoft.XMLHTTP");
+ var csrfToken = {};
+ xhr.open("POST", "%SERVLET_PATH%", false);
+ xhr.setRequestHeader("FETCH-CSRF-TOKEN", "1");
+ xhr.send(null);
+
+ var token_pair = xhr.responseText;
+ token_pair = token_pair.split(":");
+ var token_name = token_pair[0];
+ var token_value = token_pair[1];
+
+ XMLHttpRequest.prototype.onsend = function(data) {
+ if(isValidUrl(this.url)) {
+ this.setRequestHeader("X-Requested-With", "XMLHttpRequest")
+ this.setRequestHeader(token_name, token_value);
+ }
+ };
+ }
+
+ /** update nodes in DOM after load **/
+ addEvent(window,'unload',EventCache.flush);
+ addEvent(window,'DOMContentLoaded', function() {
+ injectTokens(token_name, token_value);
+ });
+ } else {
+ alert("OWASP CSRFGuard JavaScript was included from within an unauthorized domain!");
+ }
+})();
Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
------------------------------------------------------------------------------
svn:keywords = Date Rev Author URL Id
Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties?rev=1781366&view=auto
==============================================================================
--- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties (added)
+++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties Thu Feb 2 10:33:59 2017
@@ -0,0 +1,417 @@
+# The OWASP CSRFGuard Project, BSD License
+# Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice,
+# this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# 3. Neither the name of OWASP nor the names of its contributors may be used
+# to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# From: https://github.com/esheri3/OWASP-CSRFGuard/blob/master/csrfguard-test/src/main/webapp/WEB-INF/csrfguard.properties
+
+# Common substitutions
+# %servletContext% is the servlet context (e.g. the configured app prefix or war file name, or blank.
+# e.g. if you deploy a default warfile as someApp.war, then %servletContext% will be /someApp
+# if there isnt a context it will be the empty string. So to use this in the configuration, use e.g. %servletContext%/something.html
+# which will translate to e.g. /someApp/something.html
+
+# Logger
+#
+# The logger property (org.owasp.csrfguard.Logger) defines the qualified class name of
+# the object responsible for processing all log messages produced by CSRFGuard. The default
+# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class logs all messages
+# to System.out which JavaEE application servers redirect to a vendor specific log file.
+# Developers can customize the logging behavior of CSRFGuard by implementing the
+# org.owasp.csrfguard.log.ILogger interface and setting the logger property to the new
+# logger's qualified class name. The following configuration snippet instructs OWASP CSRFGuard
+# to capture all log messages to the console:
+#
+# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
+org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
+
+# Which configuration provider factory you want to use. The default is org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory
+# Another configuration provider has more features including config overlays: org.owasp.csrfguard.config.overlay.ConfigurationOverlayProviderFactory
+# The default configuration provider is: org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
+# which will look for an overlay file, it is there, and the factory inside that file is set it will use it, otherwise will be PropertiesConfigurationProviderFactory
+# it needs to implement org.owasp.csrfguard.config.ConfigurationProviderFactory
+org.owasp.csrfguard.configuration.provider.factory = org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
+
+
+# If csrfguard filter is enabled
+org.owasp.csrfguard.Enabled = false
+
+# If csrf guard filter should check even if there is no session for the user
+# Note: this changed around 2014/04, the default behavior used to be to
+# not check if there is no session. If you want the legacy behavior (if your app
+# is not susceptible to CSRF if the user has no session), set this to false
+org.owasp.csrfguard.ValidateWhenNoSessionExists = true
+
+# New Token Landing Page
+#
+# The new token landing page property (org.owasp.csrfguard.NewTokenLandingPage) defines where
+# to send a user if the token is being generated for the first time, and the use new token landing
+# page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage) determines if any redirect happens.
+# UseNewTokenLandingPage defaults to false if NewTokenLandingPage is not specified, and to true
+# if it is specified.. If UseNewTokenLandingPage is set true then this request is generated
+# using auto-posting forms and will only contain the CSRF prevention token parameter, if
+# applicable. All query-string or form parameters sent with the original request will be
+# discarded. If this property is not defined, CSRFGuard will instead auto-post the user to the
+# original context and servlet path. The following configuration snippet instructs OWASP CSRFGuard to
+# redirect the user to %servletContext%/index.html when the user visits a protected resource
+# without having a corresponding CSRF token present in the HttpSession object:
+#
+org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/control/login/*
+
+# Protected Methods
+#
+# The protected methods property (org.owasp.csrfguard.ProtectedMethods) defines a comma
+# separated list of HTTP request methods that should be protected by CSRFGuard. The default
+# list is an empty list which will cause all HTTP methods to be protected, thus preserving
+# legacy behavior. This setting allows the user to inform CSRFGuard that only requests of the
+# given types should be considered for protection. All HTTP methods not in the list will be
+# considered safe (i.e. view only / unable to modify data). This should be used only when the
+# user has concrete knowledge that all requests made via methods not in the list
+# are safe (i.e. do not apply an action to any data) since it can actually introduce new
+# security vulnerabilities. For example: the user thinks that all actionable requests are
+# only available by POST requests when in fact some are available via GET requests. If the
+# user has excluded GET requests from the list then they have introduced a vulnerability.
+# The following configuration snippet instructs OWASP CSRFGuard to protect only the POST,
+# PUT, and DELETE HTTP methods.
+#
+# org.owasp.csrfguard.ProtectedMethods=POST,PUT,DELETE
+
+# or you can configure all to be protected, and specify which is unprotected. This is the preferred approach
+
+# org.owasp.csrfguard.UnprotectedMethods=GET
+
+# Unique Per-Page Tokens
+#
+# The unique token per-page property (org.owasp.csrfguard.TokenPerPage) is a boolean value that
+# determines if CSRFGuard should make use of unique per-page (i.e. URI) prevention tokens as
+# opposed to unique per-session prevention tokens. When a user requests a protected resource,
+# CSRFGuard will determine if a page specific token has been previously generated. If a page
+# specific token has not yet been previously generated, CSRFGuard will verify the request was
+# submitted with the per-session token intact. After verifying the presence of the per-session token,
+# CSRFGuard will create a page specific token that is required for all subsequent requests to the
+# associated resource. The per-session CSRF token can only be used when requesting a resource for
+# the first time. All subsequent requests must have the per-page token intact or the request will
+# be treated as a CSRF attack. This behavior can be changed with the org.owasp.csrfguard.TokenPerPagePrecreate
+# property. Enabling this property will make CSRFGuard calculate the per page token prior to a first
+# visit. This option only works with JSTL token injection and is useful for preserving the validity of
+# links if the user pushes the back button. There may be a performance impact when enabling this option
+# if the .jsp has a large number of proctected links that need tokens to be calculated.
+# Use of the unique token per page property is currently experimental
+# but provides a significant amount of improved security. Consider the exposure of a CSRF token using
+# the legacy unique per-session model. Exposure of this token facilitates the attacker's ability to
+# carry out a CSRF attack against the victim's active session for any resource exposed by the web
+# application. Now consider the exposure of a CSRF token using the experimental unique token per-page
+# model. Exposure of this token would only allow the attacker to carry out a CSRF attack against the
+# victim's active session for a small subset of resources exposed by the web application. Use of the
+# unique token per-page property is a strong defense in depth strategy significantly reducing the
+# impact of exposed CSRF prevention tokens. The following configuration snippet instructs OWASP
+# CSRFGuard to utilize the unique token per-page model:
+#
+# org.owasp.csrfguard.TokenPerPage=true
+# org.owasp.csrfguard.TokenPerPagePrecreate=false
+org.owasp.csrfguard.TokenPerPage=true
+org.owasp.csrfguard.TokenPerPagePrecreate=false
+
+# Token Rotation
+#
+# The rotate token property (org.owasp.csrfguard.Rotate) is a boolean value that determines if
+# CSRFGuard should generate and utilize a new token after verifying the previous token. Rotation
+# helps minimize the window of opportunity an attacker has to leverage the victim's stolen token
+# in a targeted CSRF attack. However, this functionality generally causes navigation problems in
+# most applications. Specifically, the 'Back' button in the browser will often cease to function
+# properly. When a user hits the 'Back' button and interacts with the HTML, the browser may submit
+# an old token causing CSRFGuard to incorrectly believe this request is a CSRF attack in progress
+# (i.e. a 'false positive'). Users can prevent this scenario by preventing the caching of HTML pages
+# containing FORM submissions using the cache-control header. However, this may also introduce
+# performance problems as the browser will have to request HTML on a more frequent basis. The following
+# configuration snippet enables token rotation:
+#
+# org.owasp.csrfguard.Rotate=true
+
+# Ajax and XMLHttpRequest Support
+#
+# The Ajax property (org.owasp.csrfguard.Ajax) is a boolean value that indicates whether or not OWASP
+# CSRFGuard should support the injection and verification of unique per-session prevention tokens for
+# XMLHttpRequests. To leverage Ajax support, the user must not only set this property to true but must
+# also reference the JavaScript DOM Manipulation code using a script element. This dynamic script will
+# override the send method of the XMLHttpRequest object to ensure the submission of an X-Requested-With
+# header name value pair coupled with the submission of a custom header name value pair for each request.
+# The name of the custom header is the value of the token name property and the value of the header is
+# always the unique per-session token value. This custom header is analogous to the HTTP parameter name
+# value pairs submitted via traditional GET and POST requests. If the X-Requested-With header was sent
+# in the HTTP request, then CSRFGuard will look for the presence and ensure the validity of the unique
+# per-session token in the custom header name value pair. Note that verification of these headers takes
+# precedence over verification of the CSRF token supplied as an HTTP parameter. More specifically,
+# CSRFGuard does not verify the presence of the CSRF token if the Ajax support property is enabled and
+# the corresponding X-Requested-With and custom headers are embedded within the request. The following
+# configuration snippet instructs OWASP CSRFGuard to support Ajax requests by verifying the presence and
+# correctness of the X-Requested-With and custom headers:
+#
+# org.owasp.csrfguard.Ajax=true
+org.owasp.csrfguard.Ajax=true
+
+# The default behavior of CSRFGuard is to protect all pages. Pages marked as unprotected will not be protected.
+# If the Protect property is enabled, this behavior is reversed. Pages must be marked as protected to be protected.
+# All other pages will not be protected. This is useful when the CsrfGuardFilter is aggressively mapped (ex: /*),
+# but you only want to protect a few pages.
+#
+# org.owasp.csrfguard.Protect=true
+
+# Unprotected Pages:
+#
+# The unprotected pages property (org.owasp.csrfguard.unprotected.*) defines a series of pages that
+# should not be protected by CSRFGuard. Such configurations are useful when the CsrfGuardFilter is
+# aggressively mapped (ex: /*). The syntax of the property name is org.owasp.csrfguard.unprotected.[PageName],
+# where PageName is some arbitrary identifier that can be used to reference a resource. The syntax of
+# defining the uri of unprotected pages is the same as the syntax used by the JavaEE container for uri mapping.
+# Specifically, CSRFGuard will identify the first match (if any) between the requested uri and an unprotected
+# page in order of declaration. Match criteria is as follows:
+#
+# Case 1: exact match between request uri and unprotected page
+# Case 2: longest path prefix match, beginning / and ending /*
+# Case 3: extension match, beginning *.
+# Case 4: if the value starts with ^ and ends with $, it will be evaulated as a regex. Note that before the
+# regex is compiled, any common variables will be substituted (e.g. %servletContext%)
+# Default: requested resource must be validated by CSRFGuard
+#
+# The following code snippet illustrates the four use cases over four examples. The first two examples
+# (Tag and JavaScriptServlet) look for direct URI matches. The third example (Html) looks for all resources
+# ending in a .html extension. The next example (Public) looks for all resources prefixed with the URI path /MySite/Public/*.
+# The last example looks for resources that end in Public.do
+#
+# org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
+# org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet
+# org.owasp.csrfguard.unprotected.Html=*.html
+# org.owasp.csrfguard.unprotected.Public=%servletContext%/Public/*
+# regex example starts with ^ and ends with $, and the %servletContext% is evaluated before the regex
+# org.owasp.csrfguard.unprotected.PublicServlet=^%servletContext%/.*Public\.do$
+
+#org.owasp.csrfguard.unprotected.Default=%servletContext%/
+#org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html
+org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/control/JavaScriptServlet
+#org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html
+#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html
+#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.jsp
+#org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html
+#org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript.html
+#org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
+#org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp
+#org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp
+#org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp
+org.owasp.csrfguard.unprotected.Session=%servletContext%/favicon.ico
+org.owasp.csrfguard.unprotected.Session=%servletContext%/control/login/*
+org.owasp.csrfguard.unprotected.Index=%servletContext%/index.jsp
+
+# Actions: Responding to Attacks
+#
+# The actions directive (org.owasp.csrfguard.action.*) gives the user the ability to specify one or more
+# actions that should be invoked when a CSRF attack is detected. Every action must implement the
+# org.owasp.csrfguard.action.IAction interface either directly or indirectly through the
+# org.owasp.csrfguard.action.AbstractAction helper class. Many actions accept parameters that can be specified
+# along with the action class declaration. These parameters are consumed at runtime and impact the behavior of
+# the associated action.
+#
+# The syntax for defining and configuring CSRFGuard actions is relatively straight forward. Let us assume we wish
+# to redirect the user to a default page when a CSRF attack is detected. A redirect action already exists within
+# the CSRFGuard bundle and is available via the class name org.owasp.csrfguard.actions.Redirect. In order to enable
+# this action, we capture the following declaration in the Owasp.CsrfGuard.properties file:
+#
+# syntax: org.owasp.csrfguard.action.[actionName]=[className]
+# example: org.owasp.csrfguard.action.class.Redirect=org.owasp.csrfguard.actions.Redirect
+#
+# The aforementioned directive declares an action called "Redirect" (i.e. [actionName]) referencing the Java class
+# "org.owasp.csrfguard.actions.Redirect" (i.e. [className]). Anytime a CSRF attack is detected, the Redirect action
+# will be executed. You may be asking yourself, "but how do I specify where the user is redirected?"; this is where
+# action parameters come into play. In order to specify the redirect location, we capture the following declaration
+# in the Owasp.CsrfGuard.properties file:
+#
+# syntax: org.owasp.csrfguard.action.[actionName].[parameterName]=[parameterValue]
+# example: org.owasp.csrfguard.action.Redirect.ErrorPage=%servletContext%/error.html
+#
+# The aforementioned directive declares an action parameter called "ErrorPage" (i.e. [parameterName]) with the value
+# of "%servletContext%/error.html" (i.e. [parameterValue]) for the action "Redirect" (i.e. [actionName]). The
+# Redirect action expects the "ErrorPage" parameter to be defined and will redirect the user to this location when
+# an attack is detected.
+#
+#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
+org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
+org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
+#org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate
+#org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
+#org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html
+#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.RequestAttribute
+#org.owasp.csrfguard.action.RequestAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
+#org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
+org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.SessionAttribute
+org.owasp.csrfguard.action.SessionAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
+#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error
+#org.owasp.csrfguard.action.Error.Code=403
+#org.owasp.csrfguard.action.Error.Message=Security violation.
+
+# Token Name
+#
+# The token name property (org.owasp.csrfguard.TokenName) defines the name of the HTTP parameter
+# to contain the value of the OWASP CSRFGuard token for each request. The following configuration
+# snippet sets the CSRFGuard token parameter name to the value OWASP_CSRFTOKEN:
+#
+# org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
+org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
+
+# Session Key
+#
+# The session key property (org.owasp.csrfguard.SessionKey) defines the string literal used to save
+# and lookup the CSRFGuard token from the session. This value is used by the filter and the tag
+# libraries to retrieve and set the token value in the session. Developers can use this key to
+# programmatically lookup the token within their own code. The following configuration snippet sets
+# the session key to the value OWASP_CSRFTOKEN:
+#
+# org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
+org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
+
+# Token Length
+#
+# The token length property (org.owasp.csrfguard.TokenLength) defines the number of characters that
+# should be found within the CSRFGuard token. Note that characters are delimited by dashes (-) in groups
+# of four. For cosmetic reasons, users are encourage to ensure the token length is divisible by four.
+# The following configuration snippet sets the token length property to 32 characters:
+#
+# org.owasp.csrfguard.TokenLength=32
+org.owasp.csrfguard.TokenLength=32
+
+# Pseudo-random Number Generator
+#
+# The pseudo-random number generator property (org.owasp.csrfguard.PRNG) defines what PRNG should be used
+# to generate the OWASP CSRFGuard token. Always ensure this value references a cryptographically strong
+# pseudo-random number generator algorithm. The following configuration snippet sets the pseudo-random number
+# generator to SHA1PRNG:
+#
+# org.owasp.csrfguard.PRNG=SHA1PRNG
+org.owasp.csrfguard.PRNG=SHA1PRNG
+
+# Pseudo-random Number Generator Provider
+
+# The pseudo-random number generator provider property (org.owasp.csrfguard.PRNG.Provider) defines which
+# provider's implementation of org.owasp.csrfguard.PRNG we should utilize. The following configuration
+# snippet instructs the JVM to leverage SUN's implementation of the algorithm denoted by the
+# org.owasp.csrfguard.PRNG property:
+
+# org.owasp.csrfguard.PRNG.Provider=SUN
+org.owasp.csrfguard.PRNG.Provider=SUN
+
+# If not specifying the print config option in the web.xml, you can specify it here, to print the config
+# on startup
+org.owasp.csrfguard.Config.Print = true
+
+###########################
+## Javascript servlet settings if not set in web.xml
+## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
+###########################
+
+# leave this blank and blank in web.xml and it will read from META-INF/csrfguard.js from the jarfile
+# Denotes the location of the JavaScript template file that should be consumed and dynamically
+# augmented by the JavaScriptServlet class. The default value is WEB-INF/Owasp.CsrfGuard.js.
+# Use of this property and the existence of the specified template file is required.
+#org.owasp.csrfguard.JavascriptServlet.sourceFile = WEB-INF/Owasp.CsrfGuard.js
+org.owasp.csrfguard.JavascriptServlet.sourceFile = WEB-INF/Owasp.CsrfGuard.js
+
+# Boolean value that determines whether or not the dynamic JavaScript code should be strict
+# with regards to what links it should inject the CSRF prevention token. With a value of true,
+# the JavaScript code will only place the token in links that point to the same exact domain
+# from which the HTML originated. With a value of false, the JavaScript code will place the
+# token in links that not only point to the same exact domain from which the HTML originated,
+# but sub-domains as well.
+org.owasp.csrfguard.JavascriptServlet.domainStrict = true
+
+# Allows the developer to specify the value of the Cache-Control header in the HTTP response
+# when serving the dynamic JavaScript file. The default value is private, maxage=28800.
+# Caching of the dynamic JavaScript file is intended to minimize traffic and improve performance.
+# Note that the Cache-Control header is always set to "no-store" when either the "Rotate"
+# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties.
+org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800
+
+# Allows the developer to specify a regular expression describing the required value of the
+# Referer header. Any attempts to access the servlet with a Referer header that does not
+# match the captured expression is discarded. Inclusion of referer header checking is to
+# help minimize the risk of JavaScript Hijacking attacks that attempt to steal tokens from
+# the dynamically generated JavaScript. While the primary defenses against JavaScript
+# Hijacking attacks are implemented within the dynamic JavaScript itself, referer header
+# checking is implemented to achieve defense in depth.
+org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
+
+# Similar to javascript servlet referer pattern, but this will make sure the referer of the
+# javascript servlet matches the domain of the request. If there is no referer (proxy strips it?)
+# then it will not fail. Generally this is a good idea to be true.
+org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
+
+# Boolean value that determines whether or not the dynamic JavaScript code should
+# inject the CSRF prevention token as a hidden field into HTML forms. The default
+# value is true. Developers are strongly discouraged from disabling this property
+# as most server-side state changing actions are triggered via a POST request.
+org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
+
+# if the token should be injected in GET forms (which will be on the URL)
+# if the HTTP method GET is unprotected, then this should likely be false
+org.owasp.csrfguard.JavascriptServlet.injectGetForms = true
+
+# if the token should be injected in the action in forms
+# note, if injectIntoForms is true, then this might not need to be true
+org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
+
+
+# Boolean value that determines whether or not the dynamic JavaScript code should
+# inject the CSRF prevention token in the query string of src and href attributes.
+# Injecting the CSRF prevention token in a URL resource increases its general risk
+# of exposure to unauthorized parties. However, most JavaEE web applications respond
+# in the exact same manner to HTTP requests and their associated parameters regardless
+# of the HTTP method. The risk associated with not protecting GET requests in this
+# situation is perceived greater than the risk of exposing the token in protected GET
+# requests. As a result, the default value of this attribute is set to true. Developers
+# that are confident their server-side state changing controllers will only respond to
+# POST requests (i.e. discarding GET requests) are strongly encouraged to disable this property.
+org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
+
+
+org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard Project
+
+###########################
+## Config overlay settings if you have the provider above set to ConfigurationOverlayProvider
+## This CSRF config provider uses Internet2 Configuration Overlays (documented on Internet2 wiki)
+## By default the configuration is read from the Owasp.CsrfGuard.properties
+## (which should not be edited), and the Owasp.CsrfGuard.overlay.properties overlays
+## the base settings. See the Owasp.CsrfGuard.properties for the possible
+## settings that can be applied to the Owasp.CsrfGuard.overlay.properties
+###########################
+
+# comma separated config files that override each other (files on the right override the left)
+# each should start with file: or classpath:
+# e.g. classpath:Owasp.CsrfGuard.properties, file:c:/temp/myFile.properties
+org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properties, classpath:Owasp.CsrfGuard.overlay.properties
+
+# seconds between checking to see if the config files are updated
+org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
+
+
+###########################
+
Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
------------------------------------------------------------------------------
svn:keywords = Date Rev Author URL Id
Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
------------------------------------------------------------------------------
svn:mime-type = text/plain
Re: svn commit: r1781366 [1/3] - in /ofbiz/trunk: applications/content/widget/compdoc/
applications/content/widget/content/ applications/product/template/
applications/product/template/store/ applications/product/webapp/catalog/WEB-INF/
framework/base/src/...
Posted by Pranay Pandey <pr...@hotwaxsystems.com>.
Thanks Gil.
Best regards,
Pranay Pandey
HotWax Systems
http://www.hotwaxsystems.com/
On Thu, Feb 2, 2017 at 6:28 PM, gil portenseigne <
gil.portenseigne@nereide.fr> wrote:
> Hello Pranay,
>
> Jacques reverted it just after, he did not commited it on purpose.
>
> Regards,
>
> Gil
>
>
>
> Le 02/02/2017 à 13:52, Pranay Pandey a écrit :
>
>> ??
>>
>> Log:
>> Implemented:
>> Improved:
>> Documented:
>> Completed:
>> Reverted:
>> Fixed:
>> (OFBIZ-)
>> Explanation
>> Thanks:
>>
>> Best regards,
>>
>> Pranay Pandey
>> HotWax Systems
>> http://www.hotwaxsystems.com/
>>
>> On Thu, Feb 2, 2017 at 4:03 PM, <jl...@apache.org> wrote:
>>
>> Author: jleroux
>>> Date: Thu Feb 2 10:33:59 2017
>>> New Revision: 1781366
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1781366&view=rev
>>> Log:
>>> Implemented:
>>> Improved:
>>> Documented:
>>> Completed:
>>> Reverted:
>>> Fixed:
>>> (OFBIZ-)
>>> Explanation
>>> Thanks:
>>>
>>> Added:
>>> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/
>>> Owasp.CsrfGuard.js
>>> (with props)
>>> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/
>>> Owasp.CsrfGuard.properties
>>> (with props)
>>> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/controller
>>> -
>>> Copie.xml (with props)
>>> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/web -
>>> Copie.xml (with props)
>>> ofbiz/trunk/framework/webapp/config/requestHandler -
>>> Copie.properties (with props)
>>> ofbiz/trunk/themes/tomahawk/template/Header - Copie.ftl (with
>>> props)
>>> Modified:
>>> ofbiz/trunk/applications/content/widget/compdoc/
>>> CompDocTemplateTree.xml
>>> ofbiz/trunk/applications/content/widget/content/ContentForms.xml
>>> ofbiz/trunk/applications/product/template/Main.ftl
>>> ofbiz/trunk/applications/product/template/store/
>>> EditProductStoreWebSites.ftl
>>> ofbiz/trunk/framework/base/src/main/java/org/apache/
>>> ofbiz/base/util/template/FreeMarkerWorker.java
>>> ofbiz/trunk/framework/minilang/src/main/java/org/
>>> apache/ofbiz/minilang/method/entityops/EntityOne.java
>>> ofbiz/trunk/framework/widget/dtd/widget-common.xsd
>>> ofbiz/trunk/framework/widget/src/main/java/org/apache/
>>> ofbiz/widget/renderer/macro/MacroFormRenderer.java
>>>
>>> Modified: ofbiz/trunk/applications/content/widget/compdoc/
>>> CompDocTemplateTree.xml
>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>>> content/widget/compdoc/CompDocTemplateTree.xml?rev=
>>> 1781366&r1=1781365&r2=1781366&view=diff
>>> ============================================================
>>> ==================
>>> --- ofbiz/trunk/applications/content/widget/compdoc/CompDocTempl
>>> ateTree.xml
>>> (original)
>>> +++ ofbiz/trunk/applications/content/widget/compdoc/CompDocTempl
>>> ateTree.xml
>>> Thu Feb 2 10:33:59 2017
>>> @@ -22,7 +22,7 @@ under the License.
>>> <tree name="CompDocTemplateTree" entity-name="Content"
>>> root-node-name="node-root"
>>> default-render-style="simple" default-wrap-style="treeWrappe
>>> r">
>>> <node name="node-root" wrap-style="treeWrapper">
>>> - <entity-one entity-name="Content" use-cache="false">
>>> + <entity-one entity-name="Content" value-field="content"
>>> use-cache="false">
>>> <field-map field-name="contentId"
>>> from-field="rootContentId"/>
>>> </entity-one>
>>> <include-screen name="rootTemplateLine"
>>> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>>> @@ -54,7 +54,7 @@ under the License.
>>> </sub-node>
>>> </node>
>>> <node name="node-body" join-field-name="itemContentId"
>>> entity-name="AssocRevisionItemView" wrap-style="treeWrapper">
>>> - <entity-one entity-name="Content" use-cache="false">
>>> + <entity-one entity-name="Content" value-field="content"
>>> use-cache="false">
>>> <field-map field-name="contentId"
>>> from-field="itemContentId"/>
>>> </entity-one>
>>> <include-screen name="childTemplateLine"
>>> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>>> @@ -90,7 +90,7 @@ under the License.
>>> <tree name="CompDocInstanceTree" entity-name="Content"
>>> root-node-name="node-root"
>>> default-render-style="simple" default-wrap-style="treeWrappe
>>> r">
>>> <node name="node-root">
>>> - <entity-one entity-name="Content" use-cache="false">
>>> + <entity-one entity-name="Content" value-field="content"
>>> use-cache="false">
>>> <field-map field-name="contentId"
>>> from-field="instanceContent.instanceOfContentId"/>
>>> </entity-one>
>>> <include-screen name="rootInstanceLine"
>>> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>>> @@ -122,7 +122,7 @@ under the License.
>>> </sub-node>
>>> </node>
>>> <node name="node-body" join-field-name="itemContentId"
>>> entity-name="AssocRevisionItemView">
>>> - <entity-one entity-name="Content" use-cache="false">
>>> + <entity-one entity-name="Content" value-field="content"
>>> use-cache="false">
>>> <field-map field-name="contentId"
>>> from-field="itemContentId"/>
>>> </entity-one>
>>> <include-screen name="childInstanceLine"
>>> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>>>
>>> Modified: ofbiz/trunk/applications/content/widget/content/ContentForms
>>> .xml
>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>>> content/widget/content/ContentForms.xml?rev=1781366&
>>> r1=1781365&r2=1781366&view=diff
>>> ============================================================
>>> ==================
>>> --- ofbiz/trunk/applications/content/widget/content/ContentForms.xml
>>> (original)
>>> +++ ofbiz/trunk/applications/content/widget/content/ContentForms.xml Thu
>>> Feb 2 10:33:59 2017
>>> @@ -230,9 +230,9 @@ under the License.
>>> </form>
>>> <!-- ContentAssoc forms -->
>>> <form name="EditContentAssoc" target="updateContentAssoc" title=""
>>> type="single"
>>> - header-row-style="header-row" default-table-style="basic-tab
>>> le">
>>> + header-row-style="header-row" default-table-style="basic-table"
>>> default-entity-name="contentAssocX">
>>> <actions>
>>> - <entity-one entity-name="ContentAssoc" use-cache="true">
>>> + <entity-one entity-name="ContentAssoc" use-cache="true"
>>> value-field="contentAssoc">
>>> <field-map field-name="contentId"
>>> from-field="contentId"/>
>>> <field-map field-name="contentIdTo"
>>> from-field="contentIdTo"/>
>>> <field-map field-name="contentAssocTypeId"
>>> from-field="
>>> contentAssocTypeId"/>
>>>
>>> Modified: ofbiz/trunk/applications/product/template/Main.ftl
>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>>> product/template/Main.ftl?rev=1781366&r1=1781365&r2=1781366&view=diff
>>> ============================================================
>>> ==================
>>> --- ofbiz/trunk/applications/product/template/Main.ftl (original)
>>> +++ ofbiz/trunk/applications/product/template/Main.ftl Thu Feb 2
>>> 10:33:59 2017
>>> @@ -29,6 +29,8 @@ under the License.
>>> </form>
>>> <div class="label">${uiLabelMap.CommonOr}: <a
>>> href="<@o...@ofbizUrl>"
>>> class="buttontext">${uiLabelMap.ProductCreateNewCatalog}</a></div>
>>> <br />
>>> +<p>Output format: ${.output_format}
>>> +<p>Auto-escaping: ${.auto_esc?c}
>>> <div class="label">${uiLabelMap.ProductEditCategoryWithCategor
>>> yId}:</div>
>>> <form method="post" action="<@o...@ofbizUrl>"
>>> style="margin: 0;" name="EditCategoryForm">
>>> <@htmlTemplate.lookupField name="productCategoryId"
>>> id="productCategoryId" formName="EditCategoryForm" fieldFormName="
>>> LookupProductCategory"/>
>>>
>>> Modified: ofbiz/trunk/applications/product/template/store/
>>> EditProductStoreWebSites.ftl
>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>>> product/template/store/EditProductStoreWebSites.ftl?
>>> rev=1781366&r1=1781365&r2=1781366&view=diff
>>> ============================================================
>>> ==================
>>> --- ofbiz/trunk/applications/product/template/store/EditProductS
>>> toreWebSites.ftl
>>> (original)
>>> +++ ofbiz/trunk/applications/product/template/store/EditProductS
>>> toreWebSites.ftl
>>> Thu Feb 2 10:33:59 2017
>>> @@ -37,12 +37,7 @@ under the License.
>>> <td>${webSite.httpHost?default(' ')}</td>
>>> <td>${webSite.httpPort?default(' ')}</td>
>>> <td align="center">
>>> - <a href="javascript:document.
>>> storeUpdateWebSite_${webSite_index}.submit();" class="buttontext">${
>>> uiLabelMap.CommonDelete}</a>
>>> - <form name="storeUpdateWebSite_${webSite_index}"
>>> method="post" action="<@o...@ofbizUrl>">
>>> - <input type="hidden" name="viewProductStoreId"
>>> value="${productStoreId}"/>
>>> - <input type="hidden" name="productStoreId"
>>> value=""/>
>>> - <input type="hidden" name="webSiteId"
>>> value="${webSite.webSiteId}"/>
>>> - </form>
>>> + <a href="<@ofbizUrl>storeUpdateWebSite?
>>> viewProductStoreId=${productStoreId}&productStoreId=&webSiteId=${
>>> webSite.webSiteId}</...@ofbizUrl>" class="buttontext">${
>>> uiLabelMap.CommonDelete}</a>
>>> </td>
>>> </tr>
>>> <#-- toggle the row color -->
>>>
>>> Added: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>>> INF/Owasp.CsrfGuard.js
>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>>> product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js?rev=1781366&view=auto
>>> ============================================================
>>> ==================
>>> --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/
>>> Owasp.CsrfGuard.js
>>> (added)
>>> +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/
>>> Owasp.CsrfGuard.js
>>> Thu Feb 2 10:33:59 2017
>>> @@ -0,0 +1,447 @@
>>> +/**
>>> + * The OWASP CSRFGuard Project, BSD License
>>> + * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011
>>> + * All rights reserved.
>>> + *
>>> + * Redistribution and use in source and binary forms, with or without
>>> + * modification, are permitted provided that the following conditions
>>> are
>>> met:
>>> + *
>>> + * 1. Redistributions of source code must retain the above copyright
>>> notice,
>>> + * this list of conditions and the following disclaimer.
>>> + * 2. Redistributions in binary form must reproduce the above
>>> copyright
>>> + * notice, this list of conditions and the following disclaimer in
>>> the
>>> + * documentation and/or other materials provided with the
>>> distribution.
>>> + * 3. Neither the name of OWASP nor the names of its contributors may
>>> be used
>>> + * to endorse or promote products derived from this software
>>> without specific
>>> + * prior written permission.
>>> + *
>>> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>>> "AS IS"
>>> + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
>>> THE
>>> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
>>> PURPOSE
>>> + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
>>> CONTRIBUTORS
>>> BE LIABLE
>>> + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
>>> CONSEQUENTIAL DAMAGES
>>> + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
>>> SERVICES;
>>> + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
>>> CAUSED AND ON
>>> + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
>>> TORT
>>> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>>> OF THIS
>>> + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>>> + */
>>> +(function() {
>>> + /**
>>> + * Code to ensure our event always gets triggered when the DOM is
>>> updated.
>>> + * @param obj
>>> + * @param type
>>> + * @param fn
>>> + * @source http://www.dustindiaz.com/rock-solid-addevent/
>>> + */
>>> + function addEvent( obj, type, fn ) {
>>> + if (obj.addEventListener) {
>>> + obj.addEventListener( type, fn, false );
>>> + EventCache.add(obj, type, fn);
>>> + }
>>> + else if (obj.attachEvent) {
>>> + obj["e"+type+fn] = fn;
>>> + obj[type+fn] = function() { obj["e"+type+fn]( window.event
>>> );
>>> }
>>> + obj.attachEvent( "on"+type, obj[type+fn] );
>>> + EventCache.add(obj, type, fn);
>>> + }
>>> + else {
>>> + obj["on"+type] = obj["e"+type+fn];
>>> + }
>>> + }
>>> +
>>> + var EventCache = function(){
>>> + var listEvents = [];
>>> + return {
>>> + listEvents : listEvents,
>>> + add : function(node, sEventName, fHandler){
>>> + listEvents.push(arguments);
>>> + },
>>> + flush : function(){
>>> + var i, item;
>>> + for(i = listEvents.length - 1; i >= 0; i = i - 1){
>>> + item = listEvents[i];
>>> + if(item[0].removeEventListener){
>>> + item[0].removeEventListener(item[1], item[2],
>>> item[3]);
>>> + };
>>> + if(item[1].substring(0, 2) != "on"){
>>> + item[1] = "on" + item[1];
>>> + };
>>> + if(item[0].detachEvent){
>>> + item[0].detachEvent(item[1], item[2]);
>>> + };
>>> + };
>>> + }
>>> + };
>>> + }();
>>> +
>>> + /** string utility functions **/
>>> + String.prototype.startsWith = function(prefix) {
>>> + return this.indexOf(prefix) === 0;
>>> + };
>>> +
>>> + String.prototype.endsWith = function(suffix) {
>>> + return this.match(suffix+"$") == suffix;
>>> + };
>>> +
>>> + /** hook using standards based prototype **/
>>> + function hijackStandard() {
>>> + XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;
>>> + XMLHttpRequest.prototype.open = function(method, url, async,
>>> user, pass) {
>>> + this.url = url;
>>> +
>>> + this._open.apply(this, arguments);
>>> + };
>>> +
>>> + XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;
>>> + XMLHttpRequest.prototype.send = function(data) {
>>> + if(this.onsend != null) {
>>> + this.onsend.apply(this, arguments);
>>> + }
>>> +
>>> + this._send.apply(this, arguments);
>>> + };
>>> + }
>>> +
>>> + /** ie does not properly support prototype - wrap completely **/
>>> + function hijackExplorer() {
>>> + var _XMLHttpRequest = window.XMLHttpRequest;
>>> +
>>> + function alloc_XMLHttpRequest() {
>>> + this.base = _XMLHttpRequest ? new _XMLHttpRequest : new
>>> window.ActiveXObject("Microsoft.XMLHTTP");
>>> + }
>>> +
>>> + function init_XMLHttpRequest() {
>>> + return new alloc_XMLHttpRequest;
>>> + }
>>> +
>>> + init_XMLHttpRequest.prototype = alloc_XMLHttpRequest.prototype;
>>> +
>>> + /** constants **/
>>> + init_XMLHttpRequest.UNSENT = 0;
>>> + init_XMLHttpRequest.OPENED = 1;
>>> + init_XMLHttpRequest.HEADERS_RECEIVED = 2;
>>> + init_XMLHttpRequest.LOADING = 3;
>>> + init_XMLHttpRequest.DONE = 4;
>>> +
>>> + /** properties **/
>>> + init_XMLHttpRequest.prototype.status = 0;
>>> + init_XMLHttpRequest.prototype.statusText = "";
>>> + init_XMLHttpRequest.prototype.readyState =
>>> init_XMLHttpRequest.UNSENT;
>>> + init_XMLHttpRequest.prototype.responseText = "";
>>> + init_XMLHttpRequest.prototype.responseXML = null;
>>> + init_XMLHttpRequest.prototype.onsend = null;
>>> +
>>> + init_XMLHttpRequest.url = null;
>>> + init_XMLHttpRequest.onreadystatechange = null;
>>> +
>>> + /** methods **/
>>> + init_XMLHttpRequest.prototype.open = function(method, url,
>>> async, user, pass) {
>>> + var self = this;
>>> + this.url = url;
>>> +
>>> + this.base.onreadystatechange = function() {
>>> + try { self.status = self.base.status; } catch (e) { }
>>> + try { self.statusText = self.base.statusText; } catch
>>> (e)
>>> { }
>>> + try { self.readyState = self.base.readyState; } catch
>>> (e)
>>> { }
>>> + try { self.responseText = self.base.responseText; }
>>> catch(e) { }
>>> + try { self.responseXML = self.base.responseXML; }
>>> catch(e) { }
>>> +
>>> + if(self.onreadystatechange != null) {
>>> + self.onreadystatechange.apply(this, arguments);
>>> + }
>>> + }
>>> +
>>> + this.base.open(method, url, async, user, pass);
>>> + };
>>> +
>>> + init_XMLHttpRequest.prototype.send = function(data) {
>>> + if(this.onsend != null) {
>>> + this.onsend.apply(this, arguments);
>>> + }
>>> +
>>> + this.base.send(data);
>>> + };
>>> +
>>> + init_XMLHttpRequest.prototype.abort = function() {
>>> + this.base.abort();
>>> + };
>>> +
>>> + init_XMLHttpRequest.prototype.getAllResponseHeaders =
>>> function()
>>> {
>>> + return this.base.getAllResponseHeaders();
>>> + };
>>> +
>>> + init_XMLHttpRequest.prototype.getResponseHeader =
>>> function(name)
>>> {
>>> + return this.base.getResponseHeader(name);
>>> + };
>>> +
>>> + init_XMLHttpRequest.prototype.setRequestHeader = function(name,
>>> value) {
>>> + return this.base.setRequestHeader(name, value);
>>> + };
>>> +
>>> + /** hook **/
>>> + window.XMLHttpRequest = init_XMLHttpRequest;
>>> + }
>>> +
>>> + /** check if valid domain based on domainStrict **/
>>> + function isValidDomain(current, target) {
>>> + var result = false;
>>> +
>>> + /** check exact or subdomain match **/
>>> + if(current == target) {
>>> + result = true;
>>> + } else if(%DOMAIN_STRICT% == false) {
>>> + if(target.charAt(0) == '.') {
>>> + result = current.endsWith(target);
>>> + } else {
>>> + result = current.endsWith('.' + target);
>>> + }
>>> + }
>>> +
>>> + return result;
>>> + }
>>> +
>>> + /** determine if uri/url points to valid domain **/
>>> + function isValidUrl(src) {
>>> + var result = false;
>>> +
>>> + /** parse out domain to make sure it points to our own **/
>>> + if(src.substring(0, 7) == "http://" || src.substring(0, 8) ==
>>> "https://") {
>>> + var token = "://";
>>> + var index = src.indexOf(token);
>>> + var part = src.substring(index + token.length);
>>> + var domain = "";
>>> +
>>> + /** parse up to end, first slash, or anchor **/
>>> + for(var i=0; i<part.length; i++) {
>>> + var character = part.charAt(i);
>>> +
>>> + if(character == '/' || character == ':' || character ==
>>> '#') {
>>> + break;
>>> + } else {
>>> + domain += character;
>>> + }
>>> + }
>>> +
>>> + result = isValidDomain(document.domain, domain);
>>> + /** explicitly skip anchors **/
>>> + } else if(src.charAt(0) == '#') {
>>> + result = false;
>>> + /** ensure it is a local resource without a protocol **/
>>> + } else if(!src.startsWith("//") && (src.charAt(0) == '/' ||
>>> src.indexOf(':') == -1)) {
>>> + result = true;
>>> + }
>>> +
>>> + return result;
>>> + }
>>> +
>>> + /** parse uri from url **/
>>> + function parseUri(url) {
>>> + var uri = "";
>>> + var token = "://";
>>> + var index = url.indexOf(token);
>>> + var part = "";
>>> +
>>> + /**
>>> + * ensure to skip protocol and prepend context path for
>>> non-qualified
>>> + * resources (ex: "protect.html" vs
>>> + * "/Owasp.CsrfGuard.Test/protect.html").
>>> + */
>>> + if(index > 0) {
>>> + part = url.substring(index + token.length);
>>> + } else if(url.charAt(0) != '/') {
>>> + part = "%CONTEXT_PATH%/" + url;
>>> + } else {
>>> + part = url;
>>> + }
>>> +
>>> + /** parse up to end or query string **/
>>> + var uriContext = (index == -1);
>>> +
>>> + for(var i=0; i<part.length; i++) {
>>> + var character = part.charAt(i);
>>> +
>>> + if(character == '/') {
>>> + uriContext = true;
>>> + } else if(uriContext == true && (character == '?' ||
>>> character == '#')) {
>>> + uriContext = false;
>>> + break;
>>> + }
>>> +
>>> + if(uriContext == true) {
>>> + uri += character;
>>> + }
>>> + }
>>> +
>>> + return uri;
>>> + }
>>> +
>>> + /** inject tokens as hidden fields into forms **/
>>> + function injectTokenForm(form, tokenName, tokenValue,
>>> pageTokens,injectGetForms) {
>>> +
>>> + if (!injectGetForms) {
>>> + var method = form.getAttribute("method");
>>> +
>>> + if ((typeof method != 'undefined') && method != null &&
>>> method.toLowerCase() == "get") {
>>> + return;
>>> + }
>>> + }
>>> +
>>> + var value = tokenValue;
>>> + var action = form.getAttribute("action");
>>> +
>>> + if(action != null && isValidUrl(action)) {
>>> + var uri = parseUri(action);
>>> + value = pageTokens[uri] != null ? pageTokens[uri] :
>>> tokenValue;
>>> + }
>>> +
>>> + var hidden = document.createElement("input");
>>> +
>>> + hidden.setAttribute("type", "hidden");
>>> + hidden.setAttribute("name", tokenName);
>>> + hidden.setAttribute("value", value);
>>> +
>>> + form.appendChild(hidden);
>>> + }
>>> +
>>> + /** inject tokens as query string parameters into url **/
>>> + function injectTokenAttribute(element, attr, tokenName, tokenValue,
>>> pageTokens) {
>>> + var location = element.getAttribute(attr);
>>> +
>>> + if(location != null && isValidUrl(location)) {
>>> + var uri = parseUri(location);
>>> + var value = (pageTokens[uri] != null ? pageTokens[uri] :
>>> tokenValue);
>>> +
>>> + if(location.indexOf('?') != -1) {
>>> + location = location + '&' + tokenName + '=' + value;
>>> + } else {
>>> + location = location + '?' + tokenName + '=' + value;
>>> + }
>>> +
>>> + try {
>>> + element.setAttribute(attr, location);
>>> + } catch (e) {
>>> + // attempted to set/update unsupported attribute
>>> + }
>>> + }
>>> + }
>>> +
>>> + /** inject csrf prevention tokens throughout dom **/
>>> + function injectTokens(tokenName, tokenValue) {
>>> + /** obtain reference to page tokens if enabled **/
>>> + var pageTokens = {};
>>> +
>>> + if(%TOKENS_PER_PAGE% == true) {
>>> + pageTokens = requestPageTokens();
>>> + }
>>> +
>>> + /** iterate over all elements and injection token **/
>>> + var all = document.all ? document.all :
>>> document.getElementsByTagName('*');
>>> + var len = all.length;
>>> +
>>> + //these are read from the csrf guard config file(s)
>>> + var injectForms = %INJECT_FORMS%;
>>> + var injectGetForms = %INJECT_GET_FORMS%;
>>> + var injectFormAttributes = %INJECT_FORM_ATTRIBUTES%;
>>> + var injectAttributes = %INJECT_ATTRIBUTES%;
>>> +
>>> + for(var i=0; i<len; i++) {
>>> + var element = all[i];
>>> +
>>> + /** inject into form **/
>>> + if(element.tagName.toLowerCase() == "form") {
>>> + if(injectForms) {
>>> + injectTokenForm(element, tokenName, tokenValue,
>>> pageTokens,injectGetForms);
>>> + }
>>> + if (injectFormAttributes) {
>>> + injectTokenAttribute(element, "action", tokenName,
>>> tokenValue, pageTokens);
>>> + }
>>> + /** inject into attribute **/
>>> + } else if(injectAttributes) {
>>> + injectTokenAttribute(element, "src", tokenName,
>>> tokenValue, pageTokens);
>>> + injectTokenAttribute(element, "href", tokenName,
>>> tokenValue, pageTokens);
>>> + }
>>> + }
>>> + }
>>> +
>>> + /** obtain array of page specific tokens **/
>>> + function requestPageTokens() {
>>> + var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest :
>>> new
>>> window.ActiveXObject("Microsoft.XMLHTTP");
>>> + var pageTokens = {};
>>> +
>>> + xhr.open("POST", "%SERVLET_PATH%", false);
>>> + xhr.send(null);
>>> +
>>> + var text = xhr.responseText;
>>> + var name = "";
>>> + var value = "";
>>> + var nameContext = true;
>>> +
>>> + for(var i=0; i<text.length; i++) {
>>> + var character = text.charAt(i);
>>> +
>>> + if(character == ':') {
>>> + nameContext = false;
>>> + } else if(character != ',') {
>>> + if(nameContext == true) {
>>> + name += character;
>>> + } else {
>>> + value += character;
>>> + }
>>> + }
>>> +
>>> + if(character == ',' || (i + 1) >= text.length) {
>>> + pageTokens[name] = value;
>>> + name = "";
>>> + value = "";
>>> + nameContext = true;
>>> + }
>>> + }
>>> +
>>> + return pageTokens;
>>> + }
>>> +
>>> + /**
>>> + * Only inject the tokens if the JavaScript was referenced from HTML
>>> that
>>> + * was served by us. Otherwise, the code was referenced from
>>> malicious HTML
>>> + * which may be trying to steal tokens using JavaScript hijacking
>>> techniques.
>>> + * The token is now removed and fetched using another POST request
>>> to
>>> solve,
>>> + * the token hijacking problem.
>>> + */
>>> + if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {
>>> + /** optionally include Ajax support **/
>>> + if(%INJECT_XHR% == true) {
>>> + if(navigator.appName == "Microsoft Internet Explorer") {
>>> + hijackExplorer();
>>> + } else {
>>> + hijackStandard();
>>> + }
>>> +
>>> + var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest :
>>> new
>>> window.ActiveXObject("Microsoft.XMLHTTP");
>>> + var csrfToken = {};
>>> + xhr.open("POST", "%SERVLET_PATH%", false);
>>> + xhr.setRequestHeader("FETCH-CSRF-TOKEN", "1");
>>> + xhr.send(null);
>>> +
>>> + var token_pair = xhr.responseText;
>>> + token_pair = token_pair.split(":");
>>> + var token_name = token_pair[0];
>>> + var token_value = token_pair[1];
>>> +
>>> + XMLHttpRequest.prototype.onsend = function(data) {
>>> + if(isValidUrl(this.url)) {
>>> + this.setRequestHeader("X-Requested-With",
>>> "XMLHttpRequest")
>>> + this.setRequestHeader(token_name, token_value);
>>> + }
>>> + };
>>> + }
>>> +
>>> + /** update nodes in DOM after load **/
>>> + addEvent(window,'unload',EventCache.flush);
>>> + addEvent(window,'DOMContentLoaded', function() {
>>> + injectTokens(token_name, token_value);
>>> + });
>>> + } else {
>>> + alert("OWASP CSRFGuard JavaScript was included from within an
>>> unauthorized domain!");
>>> + }
>>> +})();
>>>
>>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>>> INF/Owasp.CsrfGuard.js
>>> ------------------------------------------------------------
>>> ------------------
>>> svn:eol-style = native
>>>
>>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>>> INF/Owasp.CsrfGuard.js
>>> ------------------------------------------------------------
>>> ------------------
>>> svn:keywords = Date Rev Author URL Id
>>>
>>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>>> INF/Owasp.CsrfGuard.js
>>> ------------------------------------------------------------
>>> ------------------
>>> svn:mime-type = text/plain
>>>
>>> Added: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>>> INF/Owasp.CsrfGuard.properties
>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>>> product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.
>>> properties?rev=1781366&view=auto
>>> ============================================================
>>> ==================
>>> --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/
>>> Owasp.CsrfGuard.properties
>>> (added)
>>> +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/
>>> Owasp.CsrfGuard.properties
>>> Thu Feb 2 10:33:59 2017
>>> @@ -0,0 +1,417 @@
>>> +# The OWASP CSRFGuard Project, BSD License
>>> +# Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011
>>> +# All rights reserved.
>>> +#
>>> +# Redistribution and use in source and binary forms, with or without
>>> +# modification, are permitted provided that the following conditions are
>>> met:
>>> +#
>>> +# 1. Redistributions of source code must retain the above copyright
>>> notice,
>>> +# this list of conditions and the following disclaimer.
>>> +# 2. Redistributions in binary form must reproduce the above copyright
>>> +# notice, this list of conditions and the following disclaimer in the
>>> +# documentation and/or other materials provided with the
>>> distribution.
>>> +# 3. Neither the name of OWASP nor the names of its contributors may be
>>> used
>>> +# to endorse or promote products derived from this software without
>>> specific
>>> +# prior written permission.
>>> +#
>>> +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>>> "AS
>>> IS"
>>> +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
>>> THE
>>> +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
>>> PURPOSE
>>> +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
>>> BE LIABLE
>>> +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
>>> CONSEQUENTIAL DAMAGES
>>> +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
>>> SERVICES;
>>> +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
>>> CAUSED
>>> AND ON
>>> +# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
>>> TORT
>>> +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>>> OF THIS
>>> +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>>> +
>>> +# From: https://github.com/esheri3/OWASP-CSRFGuard/blob/master/
>>> csrfguard-test/src/main/webapp/WEB-INF/csrfguard.properties
>>> +
>>> +# Common substitutions
>>> +# %servletContext% is the servlet context (e.g. the configured app
>>> prefix or war file name, or blank.
>>> +# e.g. if you deploy a default warfile as someApp.war, then
>>> %servletContext% will be /someApp
>>> +# if there isnt a context it will be the empty string. So to use this
>>> in
>>> the configuration, use e.g. %servletContext%/something.html
>>> +# which will translate to e.g. /someApp/something.html
>>> +
>>> +# Logger
>>> +#
>>> +# The logger property (org.owasp.csrfguard.Logger) defines the qualified
>>> class name of
>>> +# the object responsible for processing all log messages produced by
>>> CSRFGuard. The default
>>> +# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class
>>> logs all messages
>>> +# to System.out which JavaEE application servers redirect to a vendor
>>> specific log file.
>>> +# Developers can customize the logging behavior of CSRFGuard by
>>> implementing the
>>> +# org.owasp.csrfguard.log.ILogger interface and setting the logger
>>> property to the new
>>> +# logger's qualified class name. The following configuration snippet
>>> instructs OWASP CSRFGuard
>>> +# to capture all log messages to the console:
>>> +#
>>> +# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
>>> +org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
>>> +
>>> +# Which configuration provider factory you want to use. The default is
>>> org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory
>>> +# Another configuration provider has more features including config
>>> overlays: org.owasp.csrfguard.config.overlay.
>>> ConfigurationOverlayProviderFactory
>>> +# The default configuration provider is: org.owasp.csrfguard.config.
>>> overlay.ConfigurationAutodetectProviderFactory
>>> +# which will look for an overlay file, it is there, and the factory
>>> inside that file is set it will use it, otherwise will be
>>> PropertiesConfigurationProviderFactory
>>> +# it needs to implement org.owasp.csrfguard.config.
>>> ConfigurationProviderFactory
>>> +org.owasp.csrfguard.configuration.provider.factory =
>>> org.owasp.csrfguard.config.overlay.ConfigurationAutodetectPr
>>> oviderFactory
>>> +
>>> +
>>> +# If csrfguard filter is enabled
>>> +org.owasp.csrfguard.Enabled = false
>>> +
>>> +# If csrf guard filter should check even if there is no session for the
>>> user
>>> +# Note: this changed around 2014/04, the default behavior used to be to
>>> +# not check if there is no session. If you want the legacy behavior (if
>>> your app
>>> +# is not susceptible to CSRF if the user has no session), set this to
>>> false
>>> +org.owasp.csrfguard.ValidateWhenNoSessionExists = true
>>> +
>>> +# New Token Landing Page
>>> +#
>>> +# The new token landing page property (org.owasp.csrfguard.NewTokenL
>>> andingPage)
>>> defines where
>>> +# to send a user if the token is being generated for the first time, and
>>> the use new token landing
>>> +# page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage)
>>> determines if any redirect happens.
>>> +# UseNewTokenLandingPage defaults to false if NewTokenLandingPage is not
>>> specified, and to true
>>> +# if it is specified.. If UseNewTokenLandingPage is set true then this
>>> request is generated
>>> +# using auto-posting forms and will only contain the CSRF prevention
>>> token parameter, if
>>> +# applicable. All query-string or form parameters sent with the original
>>> request will be
>>> +# discarded. If this property is not defined, CSRFGuard will instead
>>> auto-post the user to the
>>> +# original context and servlet path. The following configuration snippet
>>> instructs OWASP CSRFGuard to
>>> +# redirect the user to %servletContext%/index.html when the user visits
>>> a
>>> protected resource
>>> +# without having a corresponding CSRF token present in the HttpSession
>>> object:
>>> +#
>>> +org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/
>>> control/login/*
>>> +
>>> +# Protected Methods
>>> +#
>>> +# The protected methods property (org.owasp.csrfguard.ProtectedMethods)
>>> defines a comma
>>> +# separated list of HTTP request methods that should be protected by
>>> CSRFGuard. The default
>>> +# list is an empty list which will cause all HTTP methods to be
>>> protected, thus preserving
>>> +# legacy behavior. This setting allows the user to inform CSRFGuard that
>>> only requests of the
>>> +# given types should be considered for protection. All HTTP methods not
>>> in the list will be
>>> +# considered safe (i.e. view only / unable to modify data). This should
>>> be used only when the
>>> +# user has concrete knowledge that all requests made via methods not in
>>> the list
>>> +# are safe (i.e. do not apply an action to any data) since it can
>>> actually introduce new
>>> +# security vulnerabilities. For example: the user thinks that all
>>> actionable requests are
>>> +# only available by POST requests when in fact some are available via
>>> GET
>>> requests. If the
>>> +# user has excluded GET requests from the list then they have introduced
>>> a vulnerability.
>>> +# The following configuration snippet instructs OWASP CSRFGuard to
>>> protect only the POST,
>>> +# PUT, and DELETE HTTP methods.
>>> +#
>>> +# org.owasp.csrfguard.ProtectedMethods=POST,PUT,DELETE
>>> +
>>> +# or you can configure all to be protected, and specify which is
>>> unprotected. This is the preferred approach
>>> +
>>> +# org.owasp.csrfguard.UnprotectedMethods=GET
>>> +
>>> +# Unique Per-Page Tokens
>>> +#
>>> +# The unique token per-page property (org.owasp.csrfguard.TokenPerPage)
>>> is a boolean value that
>>> +# determines if CSRFGuard should make use of unique per-page (i.e. URI)
>>> prevention tokens as
>>> +# opposed to unique per-session prevention tokens. When a user requests
>>> a
>>> protected resource,
>>> +# CSRFGuard will determine if a page specific token has been previously
>>> generated. If a page
>>> +# specific token has not yet been previously generated, CSRFGuard will
>>> verify the request was
>>> +# submitted with the per-session token intact. After verifying the
>>> presence of the per-session token,
>>> +# CSRFGuard will create a page specific token that is required for all
>>> subsequent requests to the
>>> +# associated resource. The per-session CSRF token can only be used when
>>> requesting a resource for
>>> +# the first time. All subsequent requests must have the per-page token
>>> intact or the request will
>>> +# be treated as a CSRF attack. This behavior can be changed with the
>>> org.owasp.csrfguard.TokenPerPagePrecreate
>>> +# property. Enabling this property will make CSRFGuard calculate the per
>>> page token prior to a first
>>> +# visit. This option only works with JSTL token injection and is useful
>>> for preserving the validity of
>>> +# links if the user pushes the back button. There may be a performance
>>> impact when enabling this option
>>> +# if the .jsp has a large number of proctected links that need tokens to
>>> be calculated.
>>> +# Use of the unique token per page property is currently experimental
>>> +# but provides a significant amount of improved security. Consider the
>>> exposure of a CSRF token using
>>> +# the legacy unique per-session model. Exposure of this token
>>> facilitates
>>> the attacker's ability to
>>> +# carry out a CSRF attack against the victim's active session for any
>>> resource exposed by the web
>>> +# application. Now consider the exposure of a CSRF token using the
>>> experimental unique token per-page
>>> +# model. Exposure of this token would only allow the attacker to carry
>>> out a CSRF attack against the
>>> +# victim's active session for a small subset of resources exposed by the
>>> web application. Use of the
>>> +# unique token per-page property is a strong defense in depth strategy
>>> significantly reducing the
>>> +# impact of exposed CSRF prevention tokens. The following configuration
>>> snippet instructs OWASP
>>> +# CSRFGuard to utilize the unique token per-page model:
>>> +#
>>> +# org.owasp.csrfguard.TokenPerPage=true
>>> +# org.owasp.csrfguard.TokenPerPagePrecreate=false
>>> +org.owasp.csrfguard.TokenPerPage=true
>>> +org.owasp.csrfguard.TokenPerPagePrecreate=false
>>> +
>>> +# Token Rotation
>>> +#
>>> +# The rotate token property (org.owasp.csrfguard.Rotate) is a boolean
>>> value that determines if
>>> +# CSRFGuard should generate and utilize a new token after verifying the
>>> previous token. Rotation
>>> +# helps minimize the window of opportunity an attacker has to leverage
>>> the victim's stolen token
>>> +# in a targeted CSRF attack. However, this functionality generally
>>> causes
>>> navigation problems in
>>> +# most applications. Specifically, the 'Back' button in the browser will
>>> often cease to function
>>> +# properly. When a user hits the 'Back' button and interacts with the
>>> HTML, the browser may submit
>>> +# an old token causing CSRFGuard to incorrectly believe this request is
>>> a
>>> CSRF attack in progress
>>> +# (i.e. a 'false positive'). Users can prevent this scenario by
>>> preventing the caching of HTML pages
>>> +# containing FORM submissions using the cache-control header. However,
>>> this may also introduce
>>> +# performance problems as the browser will have to request HTML on a
>>> more
>>> frequent basis. The following
>>> +# configuration snippet enables token rotation:
>>> +#
>>> +# org.owasp.csrfguard.Rotate=true
>>> +
>>> +# Ajax and XMLHttpRequest Support
>>> +#
>>> +# The Ajax property (org.owasp.csrfguard.Ajax) is a boolean value that
>>> indicates whether or not OWASP
>>> +# CSRFGuard should support the injection and verification of unique
>>> per-session prevention tokens for
>>> +# XMLHttpRequests. To leverage Ajax support, the user must not only set
>>> this property to true but must
>>> +# also reference the JavaScript DOM Manipulation code using a script
>>> element. This dynamic script will
>>> +# override the send method of the XMLHttpRequest object to ensure the
>>> submission of an X-Requested-With
>>> +# header name value pair coupled with the submission of a custom header
>>> name value pair for each request.
>>> +# The name of the custom header is the value of the token name property
>>> and the value of the header is
>>> +# always the unique per-session token value. This custom header is
>>> analogous to the HTTP parameter name
>>> +# value pairs submitted via traditional GET and POST requests. If the
>>> X-Requested-With header was sent
>>> +# in the HTTP request, then CSRFGuard will look for the presence and
>>> ensure the validity of the unique
>>> +# per-session token in the custom header name value pair. Note that
>>> verification of these headers takes
>>> +# precedence over verification of the CSRF token supplied as an HTTP
>>> parameter. More specifically,
>>> +# CSRFGuard does not verify the presence of the CSRF token if the Ajax
>>> support property is enabled and
>>> +# the corresponding X-Requested-With and custom headers are embedded
>>> within the request. The following
>>> +# configuration snippet instructs OWASP CSRFGuard to support Ajax
>>> requests by verifying the presence and
>>> +# correctness of the X-Requested-With and custom headers:
>>> +#
>>> +# org.owasp.csrfguard.Ajax=true
>>> +org.owasp.csrfguard.Ajax=true
>>> +
>>> +# The default behavior of CSRFGuard is to protect all pages. Pages
>>> marked
>>> as unprotected will not be protected.
>>> +# If the Protect property is enabled, this behavior is reversed. Pages
>>> must be marked as protected to be protected.
>>> +# All other pages will not be protected. This is useful when the
>>> CsrfGuardFilter is aggressively mapped (ex: /*),
>>> +# but you only want to protect a few pages.
>>> +#
>>> +# org.owasp.csrfguard.Protect=true
>>> +
>>> +# Unprotected Pages:
>>> +#
>>> +# The unprotected pages property (org.owasp.csrfguard.unprotected.*)
>>> defines a series of pages that
>>> +# should not be protected by CSRFGuard. Such configurations are useful
>>> when the CsrfGuardFilter is
>>> +# aggressively mapped (ex: /*). The syntax of the property name is
>>> org.owasp.csrfguard.unprotected.[PageName],
>>> +# where PageName is some arbitrary identifier that can be used to
>>> reference a resource. The syntax of
>>> +# defining the uri of unprotected pages is the same as the syntax used
>>> by
>>> the JavaEE container for uri mapping.
>>> +# Specifically, CSRFGuard will identify the first match (if any) between
>>> the requested uri and an unprotected
>>> +# page in order of declaration. Match criteria is as follows:
>>> +#
>>> +# Case 1: exact match between request uri and unprotected page
>>> +# Case 2: longest path prefix match, beginning / and ending /*
>>> +# Case 3: extension match, beginning *.
>>> +# Case 4: if the value starts with ^ and ends with $, it will be
>>> evaulated as a regex. Note that before the
>>> +# regex is compiled, any common variables will be substituted (e.g.
>>> %servletContext%)
>>> +# Default: requested resource must be validated by CSRFGuard
>>> +#
>>> +# The following code snippet illustrates the four use cases over four
>>> examples. The first two examples
>>> +# (Tag and JavaScriptServlet) look for direct URI matches. The third
>>> example (Html) looks for all resources
>>> +# ending in a .html extension. The next example (Public) looks for all
>>> resources prefixed with the URI path /MySite/Public/*.
>>> +# The last example looks for resources that end in Public.do
>>> +#
>>> +# org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
>>> +# org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/
>>> JavaScriptServlet
>>> +# org.owasp.csrfguard.unprotected.Html=*.html
>>> +# org.owasp.csrfguard.unprotected.Public=%servletContext%/Public/*
>>> +# regex example starts with ^ and ends with $, and the %servletContext%
>>> is evaluated before the regex
>>> +# org.owasp.csrfguard.unprotected.PublicServlet=^%
>>> servletContext%/.*Public\.do$
>>> +
>>> +#org.owasp.csrfguard.unprotected.Default=%servletContext%/
>>> +#org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html
>>> +org.owasp.csrfguard.unprotected.JavaScriptServlet=
>>> %servletContext%/control/JavaScriptServlet
>>> +#org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html
>>> +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html
>>> +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.jsp
>>> +#org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html
>>> +#org.owasp.csrfguard.unprotected.JavaScript=%servletContext
>>> %/javascript.
>>> html
>>> +#org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
>>> +#org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp
>>> +#org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp
>>> +#org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp
>>> +org.owasp.csrfguard.unprotected.Session=%servletContext%/favicon.ico
>>> +org.owasp.csrfguard.unprotected.Session=%servletContext%/
>>> control/login/*
>>> +org.owasp.csrfguard.unprotected.Index=%servletContext%/index.jsp
>>> +
>>> +# Actions: Responding to Attacks
>>> +#
>>> +# The actions directive (org.owasp.csrfguard.action.*) gives the user
>>> the
>>> ability to specify one or more
>>> +# actions that should be invoked when a CSRF attack is detected. Every
>>> action must implement the
>>> +# org.owasp.csrfguard.action.IAction interface either directly or
>>> indirectly through the
>>> +# org.owasp.csrfguard.action.AbstractAction helper class. Many actions
>>> accept parameters that can be specified
>>> +# along with the action class declaration. These parameters are consumed
>>> at runtime and impact the behavior of
>>> +# the associated action.
>>> +#
>>> +# The syntax for defining and configuring CSRFGuard actions is
>>> relatively
>>> straight forward. Let us assume we wish
>>> +# to redirect the user to a default page when a CSRF attack is detected.
>>> A redirect action already exists within
>>> +# the CSRFGuard bundle and is available via the class name
>>> org.owasp.csrfguard.actions.Redirect. In order to enable
>>> +# this action, we capture the following declaration in the
>>> Owasp.CsrfGuard.properties file:
>>> +#
>>> +# syntax: org.owasp.csrfguard.action.[actionName]=[className]
>>> +# example: org.owasp.csrfguard.action.class.Redirect=org.owasp.
>>> csrfguard.actions.Redirect
>>> +#
>>> +# The aforementioned directive declares an action called "Redirect"
>>> (i.e.
>>> [actionName]) referencing the Java class
>>> +# "org.owasp.csrfguard.actions.Redirect" (i.e. [className]). Anytime a
>>> CSRF attack is detected, the Redirect action
>>> +# will be executed. You may be asking yourself, "but how do I specify
>>> where the user is redirected?"; this is where
>>> +# action parameters come into play. In order to specify the redirect
>>> location, we capture the following declaration
>>> +# in the Owasp.CsrfGuard.properties file:
>>> +#
>>> +# syntax: org.owasp.csrfguard.action.[actionName].[parameterName]=[
>>> parameterValue]
>>> +# example: org.owasp.csrfguard.action.Redirect.ErrorPage=%
>>> servletContext%/error.html
>>> +#
>>> +# The aforementioned directive declares an action parameter called
>>> "ErrorPage" (i.e. [parameterName]) with the value
>>> +# of "%servletContext%/error.html" (i.e. [parameterValue]) for the
>>> action
>>> "Redirect" (i.e. [actionName]). The
>>> +# Redirect action expects the "ErrorPage" parameter to be defined and
>>> will redirect the user to this location when
>>> +# an attack is detected.
>>> +#
>>> +#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
>>> +org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
>>> +org.owasp.csrfguard.action.Log.Message=potential cross-site request
>>> forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%,
>>> method:%request_method%, uri:%request_uri%, error:%exception_message%)
>>> +#org.owasp.csrfguard.action.Invalidate=org.owasp.
>>> csrfguard.action.Invalidate
>>> +#org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.ac
>>> tion.Redirect
>>> +#org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html
>>> +#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrf
>>> guard.action.
>>> RequestAttribute
>>> +#org.owasp.csrfguard.action.RequestAttribute.
>>> AttributeName=Owasp_CsrfGuard_Exception_Key
>>> +#org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
>>> +org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.
>>> SessionAttribute
>>> +org.owasp.csrfguard.action.SessionAttribute.
>>> AttributeName=Owasp_CsrfGuard_Exception_Key
>>> +#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error
>>> +#org.owasp.csrfguard.action.Error.Code=403
>>> +#org.owasp.csrfguard.action.Error.Message=Security violation.
>>> +
>>> +# Token Name
>>> +#
>>> +# The token name property (org.owasp.csrfguard.TokenName) defines the
>>> name of the HTTP parameter
>>> +# to contain the value of the OWASP CSRFGuard token for each request.
>>> The
>>> following configuration
>>> +# snippet sets the CSRFGuard token parameter name to the value
>>> OWASP_CSRFTOKEN:
>>> +#
>>> +# org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
>>> +org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
>>> +
>>> +# Session Key
>>> +#
>>> +# The session key property (org.owasp.csrfguard.SessionKey) defines the
>>> string literal used to save
>>> +# and lookup the CSRFGuard token from the session. This value is used by
>>> the filter and the tag
>>> +# libraries to retrieve and set the token value in the session.
>>> Developers can use this key to
>>> +# programmatically lookup the token within their own code. The following
>>> configuration snippet sets
>>> +# the session key to the value OWASP_CSRFTOKEN:
>>> +#
>>> +# org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
>>> +org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
>>> +
>>> +# Token Length
>>> +#
>>> +# The token length property (org.owasp.csrfguard.TokenLength) defines
>>> the number of characters that
>>> +# should be found within the CSRFGuard token. Note that characters are
>>> delimited by dashes (-) in groups
>>> +# of four. For cosmetic reasons, users are encourage to ensure the token
>>> length is divisible by four.
>>> +# The following configuration snippet sets the token length property to
>>> 32 characters:
>>> +#
>>> +# org.owasp.csrfguard.TokenLength=32
>>> +org.owasp.csrfguard.TokenLength=32
>>> +
>>> +# Pseudo-random Number Generator
>>> +#
>>> +# The pseudo-random number generator property (org.owasp.csrfguard.PRNG)
>>> defines what PRNG should be used
>>> +# to generate the OWASP CSRFGuard token. Always ensure this value
>>> references a cryptographically strong
>>> +# pseudo-random number generator algorithm. The following configuration
>>> snippet sets the pseudo-random number
>>> +# generator to SHA1PRNG:
>>> +#
>>> +# org.owasp.csrfguard.PRNG=SHA1PRNG
>>> +org.owasp.csrfguard.PRNG=SHA1PRNG
>>> +
>>> +# Pseudo-random Number Generator Provider
>>> +
>>> +# The pseudo-random number generator provider property
>>> (org.owasp.csrfguard.PRNG.Provider) defines which
>>> +# provider's implementation of org.owasp.csrfguard.PRNG we should
>>> utilize. The following configuration
>>> +# snippet instructs the JVM to leverage SUN's implementation of the
>>> algorithm denoted by the
>>> +# org.owasp.csrfguard.PRNG property:
>>> +
>>> +# org.owasp.csrfguard.PRNG.Provider=SUN
>>> +org.owasp.csrfguard.PRNG.Provider=SUN
>>> +
>>> +# If not specifying the print config option in the web.xml, you can
>>> specify it here, to print the config
>>> +# on startup
>>> +org.owasp.csrfguard.Config.Print = true
>>> +
>>> +###########################
>>> +## Javascript servlet settings if not set in web.xml
>>> +## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
>>> +###########################
>>> +
>>> +# leave this blank and blank in web.xml and it will read from
>>> META-INF/csrfguard.js from the jarfile
>>> +# Denotes the location of the JavaScript template file that should be
>>> consumed and dynamically
>>> +# augmented by the JavaScriptServlet class. The default value is
>>> WEB-INF/Owasp.CsrfGuard.js.
>>> +# Use of this property and the existence of the specified template file
>>> is required.
>>> +#org.owasp.csrfguard.JavascriptServlet.sourceFile =
>>> WEB-INF/Owasp.CsrfGuard.js
>>> +org.owasp.csrfguard.JavascriptServlet.sourceFile =
>>> WEB-INF/Owasp.CsrfGuard.js
>>> +
>>> +# Boolean value that determines whether or not the dynamic JavaScript
>>> code should be strict
>>> +# with regards to what links it should inject the CSRF prevention token.
>>> With a value of true,
>>> +# the JavaScript code will only place the token in links that point to
>>> the same exact domain
>>> +# from which the HTML originated. With a value of false, the JavaScript
>>> code will place the
>>> +# token in links that not only point to the same exact domain from which
>>> the HTML originated,
>>> +# but sub-domains as well.
>>> +org.owasp.csrfguard.JavascriptServlet.domainStrict = true
>>> +
>>> +# Allows the developer to specify the value of the Cache-Control header
>>> in the HTTP response
>>> +# when serving the dynamic JavaScript file. The default value is
>>> private,
>>> maxage=28800.
>>> +# Caching of the dynamic JavaScript file is intended to minimize traffic
>>> and improve performance.
>>> +# Note that the Cache-Control header is always set to "no-store" when
>>> either the "Rotate"
>>> +# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties.
>>> +org.owasp.csrfguard.JavascriptServlet.cacheControl = private,
>>> maxage=28800
>>> +
>>> +# Allows the developer to specify a regular expression describing the
>>> required value of the
>>> +# Referer header. Any attempts to access the servlet with a Referer
>>> header that does not
>>> +# match the captured expression is discarded. Inclusion of referer
>>> header
>>> checking is to
>>> +# help minimize the risk of JavaScript Hijacking attacks that attempt to
>>> steal tokens from
>>> +# the dynamically generated JavaScript. While the primary defenses
>>> against JavaScript
>>> +# Hijacking attacks are implemented within the dynamic JavaScript
>>> itself,
>>> referer header
>>> +# checking is implemented to achieve defense in depth.
>>> +org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
>>> +
>>> +# Similar to javascript servlet referer pattern, but this will make sure
>>> the referer of the
>>> +# javascript servlet matches the domain of the request. If there is no
>>> referer (proxy strips it?)
>>> +# then it will not fail. Generally this is a good idea to be true.
>>> +org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
>>> +
>>> +# Boolean value that determines whether or not the dynamic JavaScript
>>> code should
>>> +# inject the CSRF prevention token as a hidden field into HTML forms.
>>> The
>>> default
>>> +# value is true. Developers are strongly discouraged from disabling this
>>> property
>>> +# as most server-side state changing actions are triggered via a POST
>>> request.
>>> +org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
>>> +
>>> +# if the token should be injected in GET forms (which will be on the
>>> URL)
>>> +# if the HTTP method GET is unprotected, then this should likely be
>>> false
>>> +org.owasp.csrfguard.JavascriptServlet.injectGetForms = true
>>> +
>>> +# if the token should be injected in the action in forms
>>> +# note, if injectIntoForms is true, then this might not need to be true
>>> +org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
>>> +
>>> +
>>> +# Boolean value that determines whether or not the dynamic JavaScript
>>> code should
>>> +# inject the CSRF prevention token in the query string of src and href
>>> attributes.
>>> +# Injecting the CSRF prevention token in a URL resource increases its
>>> general risk
>>> +# of exposure to unauthorized parties. However, most JavaEE web
>>> applications respond
>>> +# in the exact same manner to HTTP requests and their associated
>>> parameters regardless
>>> +# of the HTTP method. The risk associated with not protecting GET
>>> requests in this
>>> +# situation is perceived greater than the risk of exposing the token in
>>> protected GET
>>> +# requests. As a result, the default value of this attribute is set to
>>> true. Developers
>>> +# that are confident their server-side state changing controllers will
>>> only respond to
>>> +# POST requests (i.e. discarding GET requests) are strongly encouraged
>>> to
>>> disable this property.
>>> +org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
>>> +
>>> +
>>> +org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard
>>> Project
>>> +
>>> +###########################
>>> +## Config overlay settings if you have the provider above set to
>>> ConfigurationOverlayProvider
>>> +## This CSRF config provider uses Internet2 Configuration Overlays
>>> (documented on Internet2 wiki)
>>> +## By default the configuration is read from the
>>> Owasp.CsrfGuard.properties
>>> +## (which should not be edited), and the Owasp.CsrfGuard.overlay.proper
>>> ties
>>> overlays
>>> +## the base settings. See the Owasp.CsrfGuard.properties for the
>>> possible
>>> +## settings that can be applied to the Owasp.CsrfGuard.overlay.proper
>>> ties
>>> +###########################
>>> +
>>> +# comma separated config files that override each other (files on the
>>> right override the left)
>>> +# each should start with file: or classpath:
>>> +# e.g. classpath:Owasp.CsrfGuard.properties,
>>> file:c:/temp/myFile.properties
>>> +org.owasp.csrfguard.configOverlay.hierarchy =
>>> classpath:Owasp.CsrfGuard.properties,
>>> classpath:Owasp.CsrfGuard.overlay.properties
>>> +
>>> +# seconds between checking to see if the config files are updated
>>> +org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
>>> +
>>> +
>>> +###########################
>>> +
>>>
>>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>>> INF/Owasp.CsrfGuard.properties
>>> ------------------------------------------------------------
>>> ------------------
>>> svn:eol-style = native
>>>
>>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>>> INF/Owasp.CsrfGuard.properties
>>> ------------------------------------------------------------
>>> ------------------
>>> svn:keywords = Date Rev Author URL Id
>>>
>>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>>> INF/Owasp.CsrfGuard.properties
>>> ------------------------------------------------------------
>>> ------------------
>>> svn:mime-type = text/plain
>>>
>>>
>>>
>>>
>
Re: svn commit: r1781366 [1/3] - in /ofbiz/trunk:
applications/content/widget/compdoc/ applications/content/widget/content/
applications/product/template/ applications/product/template/store/
applications/product/webapp/catalog/WEB-INF/ framework/base/src/...
Posted by gil portenseigne <gi...@nereide.fr>.
Hello Pranay,
Jacques reverted it just after, he did not commited it on purpose.
Regards,
Gil
Le 02/02/2017 � 13:52, Pranay Pandey a �crit :
> ??
>
> Log:
> Implemented:
> Improved:
> Documented:
> Completed:
> Reverted:
> Fixed:
> (OFBIZ-)
> Explanation
> Thanks:
>
> Best regards,
>
> Pranay Pandey
> HotWax Systems
> http://www.hotwaxsystems.com/
>
> On Thu, Feb 2, 2017 at 4:03 PM, <jl...@apache.org> wrote:
>
>> Author: jleroux
>> Date: Thu Feb 2 10:33:59 2017
>> New Revision: 1781366
>>
>> URL: http://svn.apache.org/viewvc?rev=1781366&view=rev
>> Log:
>> Implemented:
>> Improved:
>> Documented:
>> Completed:
>> Reverted:
>> Fixed:
>> (OFBIZ-)
>> Explanation
>> Thanks:
>>
>> Added:
>> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
>> (with props)
>> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
>> (with props)
>> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/controller -
>> Copie.xml (with props)
>> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/web -
>> Copie.xml (with props)
>> ofbiz/trunk/framework/webapp/config/requestHandler -
>> Copie.properties (with props)
>> ofbiz/trunk/themes/tomahawk/template/Header - Copie.ftl (with props)
>> Modified:
>> ofbiz/trunk/applications/content/widget/compdoc/
>> CompDocTemplateTree.xml
>> ofbiz/trunk/applications/content/widget/content/ContentForms.xml
>> ofbiz/trunk/applications/product/template/Main.ftl
>> ofbiz/trunk/applications/product/template/store/
>> EditProductStoreWebSites.ftl
>> ofbiz/trunk/framework/base/src/main/java/org/apache/
>> ofbiz/base/util/template/FreeMarkerWorker.java
>> ofbiz/trunk/framework/minilang/src/main/java/org/
>> apache/ofbiz/minilang/method/entityops/EntityOne.java
>> ofbiz/trunk/framework/widget/dtd/widget-common.xsd
>> ofbiz/trunk/framework/widget/src/main/java/org/apache/
>> ofbiz/widget/renderer/macro/MacroFormRenderer.java
>>
>> Modified: ofbiz/trunk/applications/content/widget/compdoc/
>> CompDocTemplateTree.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>> content/widget/compdoc/CompDocTemplateTree.xml?rev=
>> 1781366&r1=1781365&r2=1781366&view=diff
>> ============================================================
>> ==================
>> --- ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml
>> (original)
>> +++ ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml
>> Thu Feb 2 10:33:59 2017
>> @@ -22,7 +22,7 @@ under the License.
>> <tree name="CompDocTemplateTree" entity-name="Content"
>> root-node-name="node-root"
>> default-render-style="simple" default-wrap-style="treeWrapper">
>> <node name="node-root" wrap-style="treeWrapper">
>> - <entity-one entity-name="Content" use-cache="false">
>> + <entity-one entity-name="Content" value-field="content"
>> use-cache="false">
>> <field-map field-name="contentId"
>> from-field="rootContentId"/>
>> </entity-one>
>> <include-screen name="rootTemplateLine"
>> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>> @@ -54,7 +54,7 @@ under the License.
>> </sub-node>
>> </node>
>> <node name="node-body" join-field-name="itemContentId"
>> entity-name="AssocRevisionItemView" wrap-style="treeWrapper">
>> - <entity-one entity-name="Content" use-cache="false">
>> + <entity-one entity-name="Content" value-field="content"
>> use-cache="false">
>> <field-map field-name="contentId"
>> from-field="itemContentId"/>
>> </entity-one>
>> <include-screen name="childTemplateLine"
>> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>> @@ -90,7 +90,7 @@ under the License.
>> <tree name="CompDocInstanceTree" entity-name="Content"
>> root-node-name="node-root"
>> default-render-style="simple" default-wrap-style="treeWrapper">
>> <node name="node-root">
>> - <entity-one entity-name="Content" use-cache="false">
>> + <entity-one entity-name="Content" value-field="content"
>> use-cache="false">
>> <field-map field-name="contentId"
>> from-field="instanceContent.instanceOfContentId"/>
>> </entity-one>
>> <include-screen name="rootInstanceLine"
>> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>> @@ -122,7 +122,7 @@ under the License.
>> </sub-node>
>> </node>
>> <node name="node-body" join-field-name="itemContentId"
>> entity-name="AssocRevisionItemView">
>> - <entity-one entity-name="Content" use-cache="false">
>> + <entity-one entity-name="Content" value-field="content"
>> use-cache="false">
>> <field-map field-name="contentId"
>> from-field="itemContentId"/>
>> </entity-one>
>> <include-screen name="childInstanceLine"
>> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>>
>> Modified: ofbiz/trunk/applications/content/widget/content/ContentForms.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>> content/widget/content/ContentForms.xml?rev=1781366&
>> r1=1781365&r2=1781366&view=diff
>> ============================================================
>> ==================
>> --- ofbiz/trunk/applications/content/widget/content/ContentForms.xml
>> (original)
>> +++ ofbiz/trunk/applications/content/widget/content/ContentForms.xml Thu
>> Feb 2 10:33:59 2017
>> @@ -230,9 +230,9 @@ under the License.
>> </form>
>> <!-- ContentAssoc forms -->
>> <form name="EditContentAssoc" target="updateContentAssoc" title=""
>> type="single"
>> - header-row-style="header-row" default-table-style="basic-table">
>> + header-row-style="header-row" default-table-style="basic-table"
>> default-entity-name="contentAssocX">
>> <actions>
>> - <entity-one entity-name="ContentAssoc" use-cache="true">
>> + <entity-one entity-name="ContentAssoc" use-cache="true"
>> value-field="contentAssoc">
>> <field-map field-name="contentId" from-field="contentId"/>
>> <field-map field-name="contentIdTo"
>> from-field="contentIdTo"/>
>> <field-map field-name="contentAssocTypeId" from-field="
>> contentAssocTypeId"/>
>>
>> Modified: ofbiz/trunk/applications/product/template/Main.ftl
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>> product/template/Main.ftl?rev=1781366&r1=1781365&r2=1781366&view=diff
>> ============================================================
>> ==================
>> --- ofbiz/trunk/applications/product/template/Main.ftl (original)
>> +++ ofbiz/trunk/applications/product/template/Main.ftl Thu Feb 2
>> 10:33:59 2017
>> @@ -29,6 +29,8 @@ under the License.
>> </form>
>> <div class="label">${uiLabelMap.CommonOr}: <a href="<@o...@ofbizUrl>"
>> class="buttontext">${uiLabelMap.ProductCreateNewCatalog}</a></div>
>> <br />
>> +<p>Output format: ${.output_format}
>> +<p>Auto-escaping: ${.auto_esc?c}
>> <div class="label">${uiLabelMap.ProductEditCategoryWithCategor
>> yId}:</div>
>> <form method="post" action="<@o...@ofbizUrl>"
>> style="margin: 0;" name="EditCategoryForm">
>> <@htmlTemplate.lookupField name="productCategoryId"
>> id="productCategoryId" formName="EditCategoryForm" fieldFormName="
>> LookupProductCategory"/>
>>
>> Modified: ofbiz/trunk/applications/product/template/store/
>> EditProductStoreWebSites.ftl
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>> product/template/store/EditProductStoreWebSites.ftl?
>> rev=1781366&r1=1781365&r2=1781366&view=diff
>> ============================================================
>> ==================
>> --- ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl
>> (original)
>> +++ ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl
>> Thu Feb 2 10:33:59 2017
>> @@ -37,12 +37,7 @@ under the License.
>> <td>${webSite.httpHost?default(' ')}</td>
>> <td>${webSite.httpPort?default(' ')}</td>
>> <td align="center">
>> - <a href="javascript:document.
>> storeUpdateWebSite_${webSite_index}.submit();" class="buttontext">${
>> uiLabelMap.CommonDelete}</a>
>> - <form name="storeUpdateWebSite_${webSite_index}"
>> method="post" action="<@o...@ofbizUrl>">
>> - <input type="hidden" name="viewProductStoreId"
>> value="${productStoreId}"/>
>> - <input type="hidden" name="productStoreId"
>> value=""/>
>> - <input type="hidden" name="webSiteId"
>> value="${webSite.webSiteId}"/>
>> - </form>
>> + <a href="<@ofbizUrl>storeUpdateWebSite?
>> viewProductStoreId=${productStoreId}&productStoreId=&webSiteId=${
>> webSite.webSiteId}</...@ofbizUrl>" class="buttontext">${
>> uiLabelMap.CommonDelete}</a>
>> </td>
>> </tr>
>> <#-- toggle the row color -->
>>
>> Added: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>> INF/Owasp.CsrfGuard.js
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>> product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js?rev=1781366&view=auto
>> ============================================================
>> ==================
>> --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
>> (added)
>> +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
>> Thu Feb 2 10:33:59 2017
>> @@ -0,0 +1,447 @@
>> +/**
>> + * The OWASP CSRFGuard Project, BSD License
>> + * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011
>> + * All rights reserved.
>> + *
>> + * Redistribution and use in source and binary forms, with or without
>> + * modification, are permitted provided that the following conditions are
>> met:
>> + *
>> + * 1. Redistributions of source code must retain the above copyright
>> notice,
>> + * this list of conditions and the following disclaimer.
>> + * 2. Redistributions in binary form must reproduce the above copyright
>> + * notice, this list of conditions and the following disclaimer in
>> the
>> + * documentation and/or other materials provided with the
>> distribution.
>> + * 3. Neither the name of OWASP nor the names of its contributors may
>> be used
>> + * to endorse or promote products derived from this software
>> without specific
>> + * prior written permission.
>> + *
>> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>> "AS IS"
>> + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
>> THE
>> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
>> PURPOSE
>> + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
>> BE LIABLE
>> + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
>> CONSEQUENTIAL DAMAGES
>> + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
>> SERVICES;
>> + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
>> CAUSED AND ON
>> + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>> OF THIS
>> + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>> + */
>> +(function() {
>> + /**
>> + * Code to ensure our event always gets triggered when the DOM is
>> updated.
>> + * @param obj
>> + * @param type
>> + * @param fn
>> + * @source http://www.dustindiaz.com/rock-solid-addevent/
>> + */
>> + function addEvent( obj, type, fn ) {
>> + if (obj.addEventListener) {
>> + obj.addEventListener( type, fn, false );
>> + EventCache.add(obj, type, fn);
>> + }
>> + else if (obj.attachEvent) {
>> + obj["e"+type+fn] = fn;
>> + obj[type+fn] = function() { obj["e"+type+fn]( window.event );
>> }
>> + obj.attachEvent( "on"+type, obj[type+fn] );
>> + EventCache.add(obj, type, fn);
>> + }
>> + else {
>> + obj["on"+type] = obj["e"+type+fn];
>> + }
>> + }
>> +
>> + var EventCache = function(){
>> + var listEvents = [];
>> + return {
>> + listEvents : listEvents,
>> + add : function(node, sEventName, fHandler){
>> + listEvents.push(arguments);
>> + },
>> + flush : function(){
>> + var i, item;
>> + for(i = listEvents.length - 1; i >= 0; i = i - 1){
>> + item = listEvents[i];
>> + if(item[0].removeEventListener){
>> + item[0].removeEventListener(item[1], item[2],
>> item[3]);
>> + };
>> + if(item[1].substring(0, 2) != "on"){
>> + item[1] = "on" + item[1];
>> + };
>> + if(item[0].detachEvent){
>> + item[0].detachEvent(item[1], item[2]);
>> + };
>> + };
>> + }
>> + };
>> + }();
>> +
>> + /** string utility functions **/
>> + String.prototype.startsWith = function(prefix) {
>> + return this.indexOf(prefix) === 0;
>> + };
>> +
>> + String.prototype.endsWith = function(suffix) {
>> + return this.match(suffix+"$") == suffix;
>> + };
>> +
>> + /** hook using standards based prototype **/
>> + function hijackStandard() {
>> + XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;
>> + XMLHttpRequest.prototype.open = function(method, url, async,
>> user, pass) {
>> + this.url = url;
>> +
>> + this._open.apply(this, arguments);
>> + };
>> +
>> + XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;
>> + XMLHttpRequest.prototype.send = function(data) {
>> + if(this.onsend != null) {
>> + this.onsend.apply(this, arguments);
>> + }
>> +
>> + this._send.apply(this, arguments);
>> + };
>> + }
>> +
>> + /** ie does not properly support prototype - wrap completely **/
>> + function hijackExplorer() {
>> + var _XMLHttpRequest = window.XMLHttpRequest;
>> +
>> + function alloc_XMLHttpRequest() {
>> + this.base = _XMLHttpRequest ? new _XMLHttpRequest : new
>> window.ActiveXObject("Microsoft.XMLHTTP");
>> + }
>> +
>> + function init_XMLHttpRequest() {
>> + return new alloc_XMLHttpRequest;
>> + }
>> +
>> + init_XMLHttpRequest.prototype = alloc_XMLHttpRequest.prototype;
>> +
>> + /** constants **/
>> + init_XMLHttpRequest.UNSENT = 0;
>> + init_XMLHttpRequest.OPENED = 1;
>> + init_XMLHttpRequest.HEADERS_RECEIVED = 2;
>> + init_XMLHttpRequest.LOADING = 3;
>> + init_XMLHttpRequest.DONE = 4;
>> +
>> + /** properties **/
>> + init_XMLHttpRequest.prototype.status = 0;
>> + init_XMLHttpRequest.prototype.statusText = "";
>> + init_XMLHttpRequest.prototype.readyState =
>> init_XMLHttpRequest.UNSENT;
>> + init_XMLHttpRequest.prototype.responseText = "";
>> + init_XMLHttpRequest.prototype.responseXML = null;
>> + init_XMLHttpRequest.prototype.onsend = null;
>> +
>> + init_XMLHttpRequest.url = null;
>> + init_XMLHttpRequest.onreadystatechange = null;
>> +
>> + /** methods **/
>> + init_XMLHttpRequest.prototype.open = function(method, url,
>> async, user, pass) {
>> + var self = this;
>> + this.url = url;
>> +
>> + this.base.onreadystatechange = function() {
>> + try { self.status = self.base.status; } catch (e) { }
>> + try { self.statusText = self.base.statusText; } catch (e)
>> { }
>> + try { self.readyState = self.base.readyState; } catch (e)
>> { }
>> + try { self.responseText = self.base.responseText; }
>> catch(e) { }
>> + try { self.responseXML = self.base.responseXML; }
>> catch(e) { }
>> +
>> + if(self.onreadystatechange != null) {
>> + self.onreadystatechange.apply(this, arguments);
>> + }
>> + }
>> +
>> + this.base.open(method, url, async, user, pass);
>> + };
>> +
>> + init_XMLHttpRequest.prototype.send = function(data) {
>> + if(this.onsend != null) {
>> + this.onsend.apply(this, arguments);
>> + }
>> +
>> + this.base.send(data);
>> + };
>> +
>> + init_XMLHttpRequest.prototype.abort = function() {
>> + this.base.abort();
>> + };
>> +
>> + init_XMLHttpRequest.prototype.getAllResponseHeaders = function()
>> {
>> + return this.base.getAllResponseHeaders();
>> + };
>> +
>> + init_XMLHttpRequest.prototype.getResponseHeader = function(name)
>> {
>> + return this.base.getResponseHeader(name);
>> + };
>> +
>> + init_XMLHttpRequest.prototype.setRequestHeader = function(name,
>> value) {
>> + return this.base.setRequestHeader(name, value);
>> + };
>> +
>> + /** hook **/
>> + window.XMLHttpRequest = init_XMLHttpRequest;
>> + }
>> +
>> + /** check if valid domain based on domainStrict **/
>> + function isValidDomain(current, target) {
>> + var result = false;
>> +
>> + /** check exact or subdomain match **/
>> + if(current == target) {
>> + result = true;
>> + } else if(%DOMAIN_STRICT% == false) {
>> + if(target.charAt(0) == '.') {
>> + result = current.endsWith(target);
>> + } else {
>> + result = current.endsWith('.' + target);
>> + }
>> + }
>> +
>> + return result;
>> + }
>> +
>> + /** determine if uri/url points to valid domain **/
>> + function isValidUrl(src) {
>> + var result = false;
>> +
>> + /** parse out domain to make sure it points to our own **/
>> + if(src.substring(0, 7) == "http://" || src.substring(0, 8) ==
>> "https://") {
>> + var token = "://";
>> + var index = src.indexOf(token);
>> + var part = src.substring(index + token.length);
>> + var domain = "";
>> +
>> + /** parse up to end, first slash, or anchor **/
>> + for(var i=0; i<part.length; i++) {
>> + var character = part.charAt(i);
>> +
>> + if(character == '/' || character == ':' || character ==
>> '#') {
>> + break;
>> + } else {
>> + domain += character;
>> + }
>> + }
>> +
>> + result = isValidDomain(document.domain, domain);
>> + /** explicitly skip anchors **/
>> + } else if(src.charAt(0) == '#') {
>> + result = false;
>> + /** ensure it is a local resource without a protocol **/
>> + } else if(!src.startsWith("//") && (src.charAt(0) == '/' ||
>> src.indexOf(':') == -1)) {
>> + result = true;
>> + }
>> +
>> + return result;
>> + }
>> +
>> + /** parse uri from url **/
>> + function parseUri(url) {
>> + var uri = "";
>> + var token = "://";
>> + var index = url.indexOf(token);
>> + var part = "";
>> +
>> + /**
>> + * ensure to skip protocol and prepend context path for
>> non-qualified
>> + * resources (ex: "protect.html" vs
>> + * "/Owasp.CsrfGuard.Test/protect.html").
>> + */
>> + if(index > 0) {
>> + part = url.substring(index + token.length);
>> + } else if(url.charAt(0) != '/') {
>> + part = "%CONTEXT_PATH%/" + url;
>> + } else {
>> + part = url;
>> + }
>> +
>> + /** parse up to end or query string **/
>> + var uriContext = (index == -1);
>> +
>> + for(var i=0; i<part.length; i++) {
>> + var character = part.charAt(i);
>> +
>> + if(character == '/') {
>> + uriContext = true;
>> + } else if(uriContext == true && (character == '?' ||
>> character == '#')) {
>> + uriContext = false;
>> + break;
>> + }
>> +
>> + if(uriContext == true) {
>> + uri += character;
>> + }
>> + }
>> +
>> + return uri;
>> + }
>> +
>> + /** inject tokens as hidden fields into forms **/
>> + function injectTokenForm(form, tokenName, tokenValue,
>> pageTokens,injectGetForms) {
>> +
>> + if (!injectGetForms) {
>> + var method = form.getAttribute("method");
>> +
>> + if ((typeof method != 'undefined') && method != null &&
>> method.toLowerCase() == "get") {
>> + return;
>> + }
>> + }
>> +
>> + var value = tokenValue;
>> + var action = form.getAttribute("action");
>> +
>> + if(action != null && isValidUrl(action)) {
>> + var uri = parseUri(action);
>> + value = pageTokens[uri] != null ? pageTokens[uri] :
>> tokenValue;
>> + }
>> +
>> + var hidden = document.createElement("input");
>> +
>> + hidden.setAttribute("type", "hidden");
>> + hidden.setAttribute("name", tokenName);
>> + hidden.setAttribute("value", value);
>> +
>> + form.appendChild(hidden);
>> + }
>> +
>> + /** inject tokens as query string parameters into url **/
>> + function injectTokenAttribute(element, attr, tokenName, tokenValue,
>> pageTokens) {
>> + var location = element.getAttribute(attr);
>> +
>> + if(location != null && isValidUrl(location)) {
>> + var uri = parseUri(location);
>> + var value = (pageTokens[uri] != null ? pageTokens[uri] :
>> tokenValue);
>> +
>> + if(location.indexOf('?') != -1) {
>> + location = location + '&' + tokenName + '=' + value;
>> + } else {
>> + location = location + '?' + tokenName + '=' + value;
>> + }
>> +
>> + try {
>> + element.setAttribute(attr, location);
>> + } catch (e) {
>> + // attempted to set/update unsupported attribute
>> + }
>> + }
>> + }
>> +
>> + /** inject csrf prevention tokens throughout dom **/
>> + function injectTokens(tokenName, tokenValue) {
>> + /** obtain reference to page tokens if enabled **/
>> + var pageTokens = {};
>> +
>> + if(%TOKENS_PER_PAGE% == true) {
>> + pageTokens = requestPageTokens();
>> + }
>> +
>> + /** iterate over all elements and injection token **/
>> + var all = document.all ? document.all :
>> document.getElementsByTagName('*');
>> + var len = all.length;
>> +
>> + //these are read from the csrf guard config file(s)
>> + var injectForms = %INJECT_FORMS%;
>> + var injectGetForms = %INJECT_GET_FORMS%;
>> + var injectFormAttributes = %INJECT_FORM_ATTRIBUTES%;
>> + var injectAttributes = %INJECT_ATTRIBUTES%;
>> +
>> + for(var i=0; i<len; i++) {
>> + var element = all[i];
>> +
>> + /** inject into form **/
>> + if(element.tagName.toLowerCase() == "form") {
>> + if(injectForms) {
>> + injectTokenForm(element, tokenName, tokenValue,
>> pageTokens,injectGetForms);
>> + }
>> + if (injectFormAttributes) {
>> + injectTokenAttribute(element, "action", tokenName,
>> tokenValue, pageTokens);
>> + }
>> + /** inject into attribute **/
>> + } else if(injectAttributes) {
>> + injectTokenAttribute(element, "src", tokenName,
>> tokenValue, pageTokens);
>> + injectTokenAttribute(element, "href", tokenName,
>> tokenValue, pageTokens);
>> + }
>> + }
>> + }
>> +
>> + /** obtain array of page specific tokens **/
>> + function requestPageTokens() {
>> + var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new
>> window.ActiveXObject("Microsoft.XMLHTTP");
>> + var pageTokens = {};
>> +
>> + xhr.open("POST", "%SERVLET_PATH%", false);
>> + xhr.send(null);
>> +
>> + var text = xhr.responseText;
>> + var name = "";
>> + var value = "";
>> + var nameContext = true;
>> +
>> + for(var i=0; i<text.length; i++) {
>> + var character = text.charAt(i);
>> +
>> + if(character == ':') {
>> + nameContext = false;
>> + } else if(character != ',') {
>> + if(nameContext == true) {
>> + name += character;
>> + } else {
>> + value += character;
>> + }
>> + }
>> +
>> + if(character == ',' || (i + 1) >= text.length) {
>> + pageTokens[name] = value;
>> + name = "";
>> + value = "";
>> + nameContext = true;
>> + }
>> + }
>> +
>> + return pageTokens;
>> + }
>> +
>> + /**
>> + * Only inject the tokens if the JavaScript was referenced from HTML
>> that
>> + * was served by us. Otherwise, the code was referenced from
>> malicious HTML
>> + * which may be trying to steal tokens using JavaScript hijacking
>> techniques.
>> + * The token is now removed and fetched using another POST request to
>> solve,
>> + * the token hijacking problem.
>> + */
>> + if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {
>> + /** optionally include Ajax support **/
>> + if(%INJECT_XHR% == true) {
>> + if(navigator.appName == "Microsoft Internet Explorer") {
>> + hijackExplorer();
>> + } else {
>> + hijackStandard();
>> + }
>> +
>> + var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new
>> window.ActiveXObject("Microsoft.XMLHTTP");
>> + var csrfToken = {};
>> + xhr.open("POST", "%SERVLET_PATH%", false);
>> + xhr.setRequestHeader("FETCH-CSRF-TOKEN", "1");
>> + xhr.send(null);
>> +
>> + var token_pair = xhr.responseText;
>> + token_pair = token_pair.split(":");
>> + var token_name = token_pair[0];
>> + var token_value = token_pair[1];
>> +
>> + XMLHttpRequest.prototype.onsend = function(data) {
>> + if(isValidUrl(this.url)) {
>> + this.setRequestHeader("X-Requested-With",
>> "XMLHttpRequest")
>> + this.setRequestHeader(token_name, token_value);
>> + }
>> + };
>> + }
>> +
>> + /** update nodes in DOM after load **/
>> + addEvent(window,'unload',EventCache.flush);
>> + addEvent(window,'DOMContentLoaded', function() {
>> + injectTokens(token_name, token_value);
>> + });
>> + } else {
>> + alert("OWASP CSRFGuard JavaScript was included from within an
>> unauthorized domain!");
>> + }
>> +})();
>>
>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>> INF/Owasp.CsrfGuard.js
>> ------------------------------------------------------------
>> ------------------
>> svn:eol-style = native
>>
>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>> INF/Owasp.CsrfGuard.js
>> ------------------------------------------------------------
>> ------------------
>> svn:keywords = Date Rev Author URL Id
>>
>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>> INF/Owasp.CsrfGuard.js
>> ------------------------------------------------------------
>> ------------------
>> svn:mime-type = text/plain
>>
>> Added: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>> INF/Owasp.CsrfGuard.properties
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>> product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.
>> properties?rev=1781366&view=auto
>> ============================================================
>> ==================
>> --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
>> (added)
>> +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
>> Thu Feb 2 10:33:59 2017
>> @@ -0,0 +1,417 @@
>> +# The OWASP CSRFGuard Project, BSD License
>> +# Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011
>> +# All rights reserved.
>> +#
>> +# Redistribution and use in source and binary forms, with or without
>> +# modification, are permitted provided that the following conditions are
>> met:
>> +#
>> +# 1. Redistributions of source code must retain the above copyright
>> notice,
>> +# this list of conditions and the following disclaimer.
>> +# 2. Redistributions in binary form must reproduce the above copyright
>> +# notice, this list of conditions and the following disclaimer in the
>> +# documentation and/or other materials provided with the distribution.
>> +# 3. Neither the name of OWASP nor the names of its contributors may be
>> used
>> +# to endorse or promote products derived from this software without
>> specific
>> +# prior written permission.
>> +#
>> +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
>> IS"
>> +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
>> THE
>> +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
>> PURPOSE
>> +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
>> BE LIABLE
>> +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
>> CONSEQUENTIAL DAMAGES
>> +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
>> SERVICES;
>> +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
>> AND ON
>> +# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>> +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>> OF THIS
>> +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>> +
>> +# From: https://github.com/esheri3/OWASP-CSRFGuard/blob/master/
>> csrfguard-test/src/main/webapp/WEB-INF/csrfguard.properties
>> +
>> +# Common substitutions
>> +# %servletContext% is the servlet context (e.g. the configured app
>> prefix or war file name, or blank.
>> +# e.g. if you deploy a default warfile as someApp.war, then
>> %servletContext% will be /someApp
>> +# if there isnt a context it will be the empty string. So to use this in
>> the configuration, use e.g. %servletContext%/something.html
>> +# which will translate to e.g. /someApp/something.html
>> +
>> +# Logger
>> +#
>> +# The logger property (org.owasp.csrfguard.Logger) defines the qualified
>> class name of
>> +# the object responsible for processing all log messages produced by
>> CSRFGuard. The default
>> +# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class
>> logs all messages
>> +# to System.out which JavaEE application servers redirect to a vendor
>> specific log file.
>> +# Developers can customize the logging behavior of CSRFGuard by
>> implementing the
>> +# org.owasp.csrfguard.log.ILogger interface and setting the logger
>> property to the new
>> +# logger's qualified class name. The following configuration snippet
>> instructs OWASP CSRFGuard
>> +# to capture all log messages to the console:
>> +#
>> +# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
>> +org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
>> +
>> +# Which configuration provider factory you want to use. The default is
>> org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory
>> +# Another configuration provider has more features including config
>> overlays: org.owasp.csrfguard.config.overlay.
>> ConfigurationOverlayProviderFactory
>> +# The default configuration provider is: org.owasp.csrfguard.config.
>> overlay.ConfigurationAutodetectProviderFactory
>> +# which will look for an overlay file, it is there, and the factory
>> inside that file is set it will use it, otherwise will be
>> PropertiesConfigurationProviderFactory
>> +# it needs to implement org.owasp.csrfguard.config.
>> ConfigurationProviderFactory
>> +org.owasp.csrfguard.configuration.provider.factory =
>> org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
>> +
>> +
>> +# If csrfguard filter is enabled
>> +org.owasp.csrfguard.Enabled = false
>> +
>> +# If csrf guard filter should check even if there is no session for the
>> user
>> +# Note: this changed around 2014/04, the default behavior used to be to
>> +# not check if there is no session. If you want the legacy behavior (if
>> your app
>> +# is not susceptible to CSRF if the user has no session), set this to
>> false
>> +org.owasp.csrfguard.ValidateWhenNoSessionExists = true
>> +
>> +# New Token Landing Page
>> +#
>> +# The new token landing page property (org.owasp.csrfguard.NewTokenLandingPage)
>> defines where
>> +# to send a user if the token is being generated for the first time, and
>> the use new token landing
>> +# page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage)
>> determines if any redirect happens.
>> +# UseNewTokenLandingPage defaults to false if NewTokenLandingPage is not
>> specified, and to true
>> +# if it is specified.. If UseNewTokenLandingPage is set true then this
>> request is generated
>> +# using auto-posting forms and will only contain the CSRF prevention
>> token parameter, if
>> +# applicable. All query-string or form parameters sent with the original
>> request will be
>> +# discarded. If this property is not defined, CSRFGuard will instead
>> auto-post the user to the
>> +# original context and servlet path. The following configuration snippet
>> instructs OWASP CSRFGuard to
>> +# redirect the user to %servletContext%/index.html when the user visits a
>> protected resource
>> +# without having a corresponding CSRF token present in the HttpSession
>> object:
>> +#
>> +org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/control/login/*
>> +
>> +# Protected Methods
>> +#
>> +# The protected methods property (org.owasp.csrfguard.ProtectedMethods)
>> defines a comma
>> +# separated list of HTTP request methods that should be protected by
>> CSRFGuard. The default
>> +# list is an empty list which will cause all HTTP methods to be
>> protected, thus preserving
>> +# legacy behavior. This setting allows the user to inform CSRFGuard that
>> only requests of the
>> +# given types should be considered for protection. All HTTP methods not
>> in the list will be
>> +# considered safe (i.e. view only / unable to modify data). This should
>> be used only when the
>> +# user has concrete knowledge that all requests made via methods not in
>> the list
>> +# are safe (i.e. do not apply an action to any data) since it can
>> actually introduce new
>> +# security vulnerabilities. For example: the user thinks that all
>> actionable requests are
>> +# only available by POST requests when in fact some are available via GET
>> requests. If the
>> +# user has excluded GET requests from the list then they have introduced
>> a vulnerability.
>> +# The following configuration snippet instructs OWASP CSRFGuard to
>> protect only the POST,
>> +# PUT, and DELETE HTTP methods.
>> +#
>> +# org.owasp.csrfguard.ProtectedMethods=POST,PUT,DELETE
>> +
>> +# or you can configure all to be protected, and specify which is
>> unprotected. This is the preferred approach
>> +
>> +# org.owasp.csrfguard.UnprotectedMethods=GET
>> +
>> +# Unique Per-Page Tokens
>> +#
>> +# The unique token per-page property (org.owasp.csrfguard.TokenPerPage)
>> is a boolean value that
>> +# determines if CSRFGuard should make use of unique per-page (i.e. URI)
>> prevention tokens as
>> +# opposed to unique per-session prevention tokens. When a user requests a
>> protected resource,
>> +# CSRFGuard will determine if a page specific token has been previously
>> generated. If a page
>> +# specific token has not yet been previously generated, CSRFGuard will
>> verify the request was
>> +# submitted with the per-session token intact. After verifying the
>> presence of the per-session token,
>> +# CSRFGuard will create a page specific token that is required for all
>> subsequent requests to the
>> +# associated resource. The per-session CSRF token can only be used when
>> requesting a resource for
>> +# the first time. All subsequent requests must have the per-page token
>> intact or the request will
>> +# be treated as a CSRF attack. This behavior can be changed with the
>> org.owasp.csrfguard.TokenPerPagePrecreate
>> +# property. Enabling this property will make CSRFGuard calculate the per
>> page token prior to a first
>> +# visit. This option only works with JSTL token injection and is useful
>> for preserving the validity of
>> +# links if the user pushes the back button. There may be a performance
>> impact when enabling this option
>> +# if the .jsp has a large number of proctected links that need tokens to
>> be calculated.
>> +# Use of the unique token per page property is currently experimental
>> +# but provides a significant amount of improved security. Consider the
>> exposure of a CSRF token using
>> +# the legacy unique per-session model. Exposure of this token facilitates
>> the attacker's ability to
>> +# carry out a CSRF attack against the victim's active session for any
>> resource exposed by the web
>> +# application. Now consider the exposure of a CSRF token using the
>> experimental unique token per-page
>> +# model. Exposure of this token would only allow the attacker to carry
>> out a CSRF attack against the
>> +# victim's active session for a small subset of resources exposed by the
>> web application. Use of the
>> +# unique token per-page property is a strong defense in depth strategy
>> significantly reducing the
>> +# impact of exposed CSRF prevention tokens. The following configuration
>> snippet instructs OWASP
>> +# CSRFGuard to utilize the unique token per-page model:
>> +#
>> +# org.owasp.csrfguard.TokenPerPage=true
>> +# org.owasp.csrfguard.TokenPerPagePrecreate=false
>> +org.owasp.csrfguard.TokenPerPage=true
>> +org.owasp.csrfguard.TokenPerPagePrecreate=false
>> +
>> +# Token Rotation
>> +#
>> +# The rotate token property (org.owasp.csrfguard.Rotate) is a boolean
>> value that determines if
>> +# CSRFGuard should generate and utilize a new token after verifying the
>> previous token. Rotation
>> +# helps minimize the window of opportunity an attacker has to leverage
>> the victim's stolen token
>> +# in a targeted CSRF attack. However, this functionality generally causes
>> navigation problems in
>> +# most applications. Specifically, the 'Back' button in the browser will
>> often cease to function
>> +# properly. When a user hits the 'Back' button and interacts with the
>> HTML, the browser may submit
>> +# an old token causing CSRFGuard to incorrectly believe this request is a
>> CSRF attack in progress
>> +# (i.e. a 'false positive'). Users can prevent this scenario by
>> preventing the caching of HTML pages
>> +# containing FORM submissions using the cache-control header. However,
>> this may also introduce
>> +# performance problems as the browser will have to request HTML on a more
>> frequent basis. The following
>> +# configuration snippet enables token rotation:
>> +#
>> +# org.owasp.csrfguard.Rotate=true
>> +
>> +# Ajax and XMLHttpRequest Support
>> +#
>> +# The Ajax property (org.owasp.csrfguard.Ajax) is a boolean value that
>> indicates whether or not OWASP
>> +# CSRFGuard should support the injection and verification of unique
>> per-session prevention tokens for
>> +# XMLHttpRequests. To leverage Ajax support, the user must not only set
>> this property to true but must
>> +# also reference the JavaScript DOM Manipulation code using a script
>> element. This dynamic script will
>> +# override the send method of the XMLHttpRequest object to ensure the
>> submission of an X-Requested-With
>> +# header name value pair coupled with the submission of a custom header
>> name value pair for each request.
>> +# The name of the custom header is the value of the token name property
>> and the value of the header is
>> +# always the unique per-session token value. This custom header is
>> analogous to the HTTP parameter name
>> +# value pairs submitted via traditional GET and POST requests. If the
>> X-Requested-With header was sent
>> +# in the HTTP request, then CSRFGuard will look for the presence and
>> ensure the validity of the unique
>> +# per-session token in the custom header name value pair. Note that
>> verification of these headers takes
>> +# precedence over verification of the CSRF token supplied as an HTTP
>> parameter. More specifically,
>> +# CSRFGuard does not verify the presence of the CSRF token if the Ajax
>> support property is enabled and
>> +# the corresponding X-Requested-With and custom headers are embedded
>> within the request. The following
>> +# configuration snippet instructs OWASP CSRFGuard to support Ajax
>> requests by verifying the presence and
>> +# correctness of the X-Requested-With and custom headers:
>> +#
>> +# org.owasp.csrfguard.Ajax=true
>> +org.owasp.csrfguard.Ajax=true
>> +
>> +# The default behavior of CSRFGuard is to protect all pages. Pages marked
>> as unprotected will not be protected.
>> +# If the Protect property is enabled, this behavior is reversed. Pages
>> must be marked as protected to be protected.
>> +# All other pages will not be protected. This is useful when the
>> CsrfGuardFilter is aggressively mapped (ex: /*),
>> +# but you only want to protect a few pages.
>> +#
>> +# org.owasp.csrfguard.Protect=true
>> +
>> +# Unprotected Pages:
>> +#
>> +# The unprotected pages property (org.owasp.csrfguard.unprotected.*)
>> defines a series of pages that
>> +# should not be protected by CSRFGuard. Such configurations are useful
>> when the CsrfGuardFilter is
>> +# aggressively mapped (ex: /*). The syntax of the property name is
>> org.owasp.csrfguard.unprotected.[PageName],
>> +# where PageName is some arbitrary identifier that can be used to
>> reference a resource. The syntax of
>> +# defining the uri of unprotected pages is the same as the syntax used by
>> the JavaEE container for uri mapping.
>> +# Specifically, CSRFGuard will identify the first match (if any) between
>> the requested uri and an unprotected
>> +# page in order of declaration. Match criteria is as follows:
>> +#
>> +# Case 1: exact match between request uri and unprotected page
>> +# Case 2: longest path prefix match, beginning / and ending /*
>> +# Case 3: extension match, beginning *.
>> +# Case 4: if the value starts with ^ and ends with $, it will be
>> evaulated as a regex. Note that before the
>> +# regex is compiled, any common variables will be substituted (e.g.
>> %servletContext%)
>> +# Default: requested resource must be validated by CSRFGuard
>> +#
>> +# The following code snippet illustrates the four use cases over four
>> examples. The first two examples
>> +# (Tag and JavaScriptServlet) look for direct URI matches. The third
>> example (Html) looks for all resources
>> +# ending in a .html extension. The next example (Public) looks for all
>> resources prefixed with the URI path /MySite/Public/*.
>> +# The last example looks for resources that end in Public.do
>> +#
>> +# org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
>> +# org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/
>> JavaScriptServlet
>> +# org.owasp.csrfguard.unprotected.Html=*.html
>> +# org.owasp.csrfguard.unprotected.Public=%servletContext%/Public/*
>> +# regex example starts with ^ and ends with $, and the %servletContext%
>> is evaluated before the regex
>> +# org.owasp.csrfguard.unprotected.PublicServlet=^%
>> servletContext%/.*Public\.do$
>> +
>> +#org.owasp.csrfguard.unprotected.Default=%servletContext%/
>> +#org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html
>> +org.owasp.csrfguard.unprotected.JavaScriptServlet=
>> %servletContext%/control/JavaScriptServlet
>> +#org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html
>> +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html
>> +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.jsp
>> +#org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html
>> +#org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript.
>> html
>> +#org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
>> +#org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp
>> +#org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp
>> +#org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp
>> +org.owasp.csrfguard.unprotected.Session=%servletContext%/favicon.ico
>> +org.owasp.csrfguard.unprotected.Session=%servletContext%/control/login/*
>> +org.owasp.csrfguard.unprotected.Index=%servletContext%/index.jsp
>> +
>> +# Actions: Responding to Attacks
>> +#
>> +# The actions directive (org.owasp.csrfguard.action.*) gives the user the
>> ability to specify one or more
>> +# actions that should be invoked when a CSRF attack is detected. Every
>> action must implement the
>> +# org.owasp.csrfguard.action.IAction interface either directly or
>> indirectly through the
>> +# org.owasp.csrfguard.action.AbstractAction helper class. Many actions
>> accept parameters that can be specified
>> +# along with the action class declaration. These parameters are consumed
>> at runtime and impact the behavior of
>> +# the associated action.
>> +#
>> +# The syntax for defining and configuring CSRFGuard actions is relatively
>> straight forward. Let us assume we wish
>> +# to redirect the user to a default page when a CSRF attack is detected.
>> A redirect action already exists within
>> +# the CSRFGuard bundle and is available via the class name
>> org.owasp.csrfguard.actions.Redirect. In order to enable
>> +# this action, we capture the following declaration in the
>> Owasp.CsrfGuard.properties file:
>> +#
>> +# syntax: org.owasp.csrfguard.action.[actionName]=[className]
>> +# example: org.owasp.csrfguard.action.class.Redirect=org.owasp.
>> csrfguard.actions.Redirect
>> +#
>> +# The aforementioned directive declares an action called "Redirect" (i.e.
>> [actionName]) referencing the Java class
>> +# "org.owasp.csrfguard.actions.Redirect" (i.e. [className]). Anytime a
>> CSRF attack is detected, the Redirect action
>> +# will be executed. You may be asking yourself, "but how do I specify
>> where the user is redirected?"; this is where
>> +# action parameters come into play. In order to specify the redirect
>> location, we capture the following declaration
>> +# in the Owasp.CsrfGuard.properties file:
>> +#
>> +# syntax: org.owasp.csrfguard.action.[actionName].[parameterName]=[
>> parameterValue]
>> +# example: org.owasp.csrfguard.action.Redirect.ErrorPage=%
>> servletContext%/error.html
>> +#
>> +# The aforementioned directive declares an action parameter called
>> "ErrorPage" (i.e. [parameterName]) with the value
>> +# of "%servletContext%/error.html" (i.e. [parameterValue]) for the action
>> "Redirect" (i.e. [actionName]). The
>> +# Redirect action expects the "ErrorPage" parameter to be defined and
>> will redirect the user to this location when
>> +# an attack is detected.
>> +#
>> +#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
>> +org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
>> +org.owasp.csrfguard.action.Log.Message=potential cross-site request
>> forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%,
>> method:%request_method%, uri:%request_uri%, error:%exception_message%)
>> +#org.owasp.csrfguard.action.Invalidate=org.owasp.
>> csrfguard.action.Invalidate
>> +#org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
>> +#org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html
>> +#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.
>> RequestAttribute
>> +#org.owasp.csrfguard.action.RequestAttribute.
>> AttributeName=Owasp_CsrfGuard_Exception_Key
>> +#org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
>> +org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.
>> SessionAttribute
>> +org.owasp.csrfguard.action.SessionAttribute.
>> AttributeName=Owasp_CsrfGuard_Exception_Key
>> +#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error
>> +#org.owasp.csrfguard.action.Error.Code=403
>> +#org.owasp.csrfguard.action.Error.Message=Security violation.
>> +
>> +# Token Name
>> +#
>> +# The token name property (org.owasp.csrfguard.TokenName) defines the
>> name of the HTTP parameter
>> +# to contain the value of the OWASP CSRFGuard token for each request. The
>> following configuration
>> +# snippet sets the CSRFGuard token parameter name to the value
>> OWASP_CSRFTOKEN:
>> +#
>> +# org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
>> +org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
>> +
>> +# Session Key
>> +#
>> +# The session key property (org.owasp.csrfguard.SessionKey) defines the
>> string literal used to save
>> +# and lookup the CSRFGuard token from the session. This value is used by
>> the filter and the tag
>> +# libraries to retrieve and set the token value in the session.
>> Developers can use this key to
>> +# programmatically lookup the token within their own code. The following
>> configuration snippet sets
>> +# the session key to the value OWASP_CSRFTOKEN:
>> +#
>> +# org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
>> +org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
>> +
>> +# Token Length
>> +#
>> +# The token length property (org.owasp.csrfguard.TokenLength) defines
>> the number of characters that
>> +# should be found within the CSRFGuard token. Note that characters are
>> delimited by dashes (-) in groups
>> +# of four. For cosmetic reasons, users are encourage to ensure the token
>> length is divisible by four.
>> +# The following configuration snippet sets the token length property to
>> 32 characters:
>> +#
>> +# org.owasp.csrfguard.TokenLength=32
>> +org.owasp.csrfguard.TokenLength=32
>> +
>> +# Pseudo-random Number Generator
>> +#
>> +# The pseudo-random number generator property (org.owasp.csrfguard.PRNG)
>> defines what PRNG should be used
>> +# to generate the OWASP CSRFGuard token. Always ensure this value
>> references a cryptographically strong
>> +# pseudo-random number generator algorithm. The following configuration
>> snippet sets the pseudo-random number
>> +# generator to SHA1PRNG:
>> +#
>> +# org.owasp.csrfguard.PRNG=SHA1PRNG
>> +org.owasp.csrfguard.PRNG=SHA1PRNG
>> +
>> +# Pseudo-random Number Generator Provider
>> +
>> +# The pseudo-random number generator provider property
>> (org.owasp.csrfguard.PRNG.Provider) defines which
>> +# provider's implementation of org.owasp.csrfguard.PRNG we should
>> utilize. The following configuration
>> +# snippet instructs the JVM to leverage SUN's implementation of the
>> algorithm denoted by the
>> +# org.owasp.csrfguard.PRNG property:
>> +
>> +# org.owasp.csrfguard.PRNG.Provider=SUN
>> +org.owasp.csrfguard.PRNG.Provider=SUN
>> +
>> +# If not specifying the print config option in the web.xml, you can
>> specify it here, to print the config
>> +# on startup
>> +org.owasp.csrfguard.Config.Print = true
>> +
>> +###########################
>> +## Javascript servlet settings if not set in web.xml
>> +## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
>> +###########################
>> +
>> +# leave this blank and blank in web.xml and it will read from
>> META-INF/csrfguard.js from the jarfile
>> +# Denotes the location of the JavaScript template file that should be
>> consumed and dynamically
>> +# augmented by the JavaScriptServlet class. The default value is
>> WEB-INF/Owasp.CsrfGuard.js.
>> +# Use of this property and the existence of the specified template file
>> is required.
>> +#org.owasp.csrfguard.JavascriptServlet.sourceFile =
>> WEB-INF/Owasp.CsrfGuard.js
>> +org.owasp.csrfguard.JavascriptServlet.sourceFile =
>> WEB-INF/Owasp.CsrfGuard.js
>> +
>> +# Boolean value that determines whether or not the dynamic JavaScript
>> code should be strict
>> +# with regards to what links it should inject the CSRF prevention token.
>> With a value of true,
>> +# the JavaScript code will only place the token in links that point to
>> the same exact domain
>> +# from which the HTML originated. With a value of false, the JavaScript
>> code will place the
>> +# token in links that not only point to the same exact domain from which
>> the HTML originated,
>> +# but sub-domains as well.
>> +org.owasp.csrfguard.JavascriptServlet.domainStrict = true
>> +
>> +# Allows the developer to specify the value of the Cache-Control header
>> in the HTTP response
>> +# when serving the dynamic JavaScript file. The default value is private,
>> maxage=28800.
>> +# Caching of the dynamic JavaScript file is intended to minimize traffic
>> and improve performance.
>> +# Note that the Cache-Control header is always set to "no-store" when
>> either the "Rotate"
>> +# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties.
>> +org.owasp.csrfguard.JavascriptServlet.cacheControl = private,
>> maxage=28800
>> +
>> +# Allows the developer to specify a regular expression describing the
>> required value of the
>> +# Referer header. Any attempts to access the servlet with a Referer
>> header that does not
>> +# match the captured expression is discarded. Inclusion of referer header
>> checking is to
>> +# help minimize the risk of JavaScript Hijacking attacks that attempt to
>> steal tokens from
>> +# the dynamically generated JavaScript. While the primary defenses
>> against JavaScript
>> +# Hijacking attacks are implemented within the dynamic JavaScript itself,
>> referer header
>> +# checking is implemented to achieve defense in depth.
>> +org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
>> +
>> +# Similar to javascript servlet referer pattern, but this will make sure
>> the referer of the
>> +# javascript servlet matches the domain of the request. If there is no
>> referer (proxy strips it?)
>> +# then it will not fail. Generally this is a good idea to be true.
>> +org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
>> +
>> +# Boolean value that determines whether or not the dynamic JavaScript
>> code should
>> +# inject the CSRF prevention token as a hidden field into HTML forms. The
>> default
>> +# value is true. Developers are strongly discouraged from disabling this
>> property
>> +# as most server-side state changing actions are triggered via a POST
>> request.
>> +org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
>> +
>> +# if the token should be injected in GET forms (which will be on the URL)
>> +# if the HTTP method GET is unprotected, then this should likely be false
>> +org.owasp.csrfguard.JavascriptServlet.injectGetForms = true
>> +
>> +# if the token should be injected in the action in forms
>> +# note, if injectIntoForms is true, then this might not need to be true
>> +org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
>> +
>> +
>> +# Boolean value that determines whether or not the dynamic JavaScript
>> code should
>> +# inject the CSRF prevention token in the query string of src and href
>> attributes.
>> +# Injecting the CSRF prevention token in a URL resource increases its
>> general risk
>> +# of exposure to unauthorized parties. However, most JavaEE web
>> applications respond
>> +# in the exact same manner to HTTP requests and their associated
>> parameters regardless
>> +# of the HTTP method. The risk associated with not protecting GET
>> requests in this
>> +# situation is perceived greater than the risk of exposing the token in
>> protected GET
>> +# requests. As a result, the default value of this attribute is set to
>> true. Developers
>> +# that are confident their server-side state changing controllers will
>> only respond to
>> +# POST requests (i.e. discarding GET requests) are strongly encouraged to
>> disable this property.
>> +org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
>> +
>> +
>> +org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard
>> Project
>> +
>> +###########################
>> +## Config overlay settings if you have the provider above set to
>> ConfigurationOverlayProvider
>> +## This CSRF config provider uses Internet2 Configuration Overlays
>> (documented on Internet2 wiki)
>> +## By default the configuration is read from the
>> Owasp.CsrfGuard.properties
>> +## (which should not be edited), and the Owasp.CsrfGuard.overlay.properties
>> overlays
>> +## the base settings. See the Owasp.CsrfGuard.properties for the possible
>> +## settings that can be applied to the Owasp.CsrfGuard.overlay.properties
>> +###########################
>> +
>> +# comma separated config files that override each other (files on the
>> right override the left)
>> +# each should start with file: or classpath:
>> +# e.g. classpath:Owasp.CsrfGuard.properties,
>> file:c:/temp/myFile.properties
>> +org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properties,
>> classpath:Owasp.CsrfGuard.overlay.properties
>> +
>> +# seconds between checking to see if the config files are updated
>> +org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
>> +
>> +
>> +###########################
>> +
>>
>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>> INF/Owasp.CsrfGuard.properties
>> ------------------------------------------------------------
>> ------------------
>> svn:eol-style = native
>>
>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>> INF/Owasp.CsrfGuard.properties
>> ------------------------------------------------------------
>> ------------------
>> svn:keywords = Date Rev Author URL Id
>>
>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>> INF/Owasp.CsrfGuard.properties
>> ------------------------------------------------------------
>> ------------------
>> svn:mime-type = text/plain
>>
>>
>>
Re: svn commit: r1781366 [1/3] - in /ofbiz/trunk: applications/content/widget/compdoc/
applications/content/widget/content/ applications/product/template/
applications/product/template/store/ applications/product/webapp/catalog/WEB-INF/
framework/base/src/...
Posted by Pranay Pandey <pr...@hotwaxsystems.com>.
??
Log:
Implemented:
Improved:
Documented:
Completed:
Reverted:
Fixed:
(OFBIZ-)
Explanation
Thanks:
Best regards,
Pranay Pandey
HotWax Systems
http://www.hotwaxsystems.com/
On Thu, Feb 2, 2017 at 4:03 PM, <jl...@apache.org> wrote:
> Author: jleroux
> Date: Thu Feb 2 10:33:59 2017
> New Revision: 1781366
>
> URL: http://svn.apache.org/viewvc?rev=1781366&view=rev
> Log:
> Implemented:
> Improved:
> Documented:
> Completed:
> Reverted:
> Fixed:
> (OFBIZ-)
> Explanation
> Thanks:
>
> Added:
> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
> (with props)
> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
> (with props)
> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/controller -
> Copie.xml (with props)
> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/web -
> Copie.xml (with props)
> ofbiz/trunk/framework/webapp/config/requestHandler -
> Copie.properties (with props)
> ofbiz/trunk/themes/tomahawk/template/Header - Copie.ftl (with props)
> Modified:
> ofbiz/trunk/applications/content/widget/compdoc/
> CompDocTemplateTree.xml
> ofbiz/trunk/applications/content/widget/content/ContentForms.xml
> ofbiz/trunk/applications/product/template/Main.ftl
> ofbiz/trunk/applications/product/template/store/
> EditProductStoreWebSites.ftl
> ofbiz/trunk/framework/base/src/main/java/org/apache/
> ofbiz/base/util/template/FreeMarkerWorker.java
> ofbiz/trunk/framework/minilang/src/main/java/org/
> apache/ofbiz/minilang/method/entityops/EntityOne.java
> ofbiz/trunk/framework/widget/dtd/widget-common.xsd
> ofbiz/trunk/framework/widget/src/main/java/org/apache/
> ofbiz/widget/renderer/macro/MacroFormRenderer.java
>
> Modified: ofbiz/trunk/applications/content/widget/compdoc/
> CompDocTemplateTree.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
> content/widget/compdoc/CompDocTemplateTree.xml?rev=
> 1781366&r1=1781365&r2=1781366&view=diff
> ============================================================
> ==================
> --- ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml
> (original)
> +++ ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml
> Thu Feb 2 10:33:59 2017
> @@ -22,7 +22,7 @@ under the License.
> <tree name="CompDocTemplateTree" entity-name="Content"
> root-node-name="node-root"
> default-render-style="simple" default-wrap-style="treeWrapper">
> <node name="node-root" wrap-style="treeWrapper">
> - <entity-one entity-name="Content" use-cache="false">
> + <entity-one entity-name="Content" value-field="content"
> use-cache="false">
> <field-map field-name="contentId"
> from-field="rootContentId"/>
> </entity-one>
> <include-screen name="rootTemplateLine"
> location="component://content/widget/compdoc/CompDocScreens.xml"/>
> @@ -54,7 +54,7 @@ under the License.
> </sub-node>
> </node>
> <node name="node-body" join-field-name="itemContentId"
> entity-name="AssocRevisionItemView" wrap-style="treeWrapper">
> - <entity-one entity-name="Content" use-cache="false">
> + <entity-one entity-name="Content" value-field="content"
> use-cache="false">
> <field-map field-name="contentId"
> from-field="itemContentId"/>
> </entity-one>
> <include-screen name="childTemplateLine"
> location="component://content/widget/compdoc/CompDocScreens.xml"/>
> @@ -90,7 +90,7 @@ under the License.
> <tree name="CompDocInstanceTree" entity-name="Content"
> root-node-name="node-root"
> default-render-style="simple" default-wrap-style="treeWrapper">
> <node name="node-root">
> - <entity-one entity-name="Content" use-cache="false">
> + <entity-one entity-name="Content" value-field="content"
> use-cache="false">
> <field-map field-name="contentId"
> from-field="instanceContent.instanceOfContentId"/>
> </entity-one>
> <include-screen name="rootInstanceLine"
> location="component://content/widget/compdoc/CompDocScreens.xml"/>
> @@ -122,7 +122,7 @@ under the License.
> </sub-node>
> </node>
> <node name="node-body" join-field-name="itemContentId"
> entity-name="AssocRevisionItemView">
> - <entity-one entity-name="Content" use-cache="false">
> + <entity-one entity-name="Content" value-field="content"
> use-cache="false">
> <field-map field-name="contentId"
> from-field="itemContentId"/>
> </entity-one>
> <include-screen name="childInstanceLine"
> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>
> Modified: ofbiz/trunk/applications/content/widget/content/ContentForms.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
> content/widget/content/ContentForms.xml?rev=1781366&
> r1=1781365&r2=1781366&view=diff
> ============================================================
> ==================
> --- ofbiz/trunk/applications/content/widget/content/ContentForms.xml
> (original)
> +++ ofbiz/trunk/applications/content/widget/content/ContentForms.xml Thu
> Feb 2 10:33:59 2017
> @@ -230,9 +230,9 @@ under the License.
> </form>
> <!-- ContentAssoc forms -->
> <form name="EditContentAssoc" target="updateContentAssoc" title=""
> type="single"
> - header-row-style="header-row" default-table-style="basic-table">
> + header-row-style="header-row" default-table-style="basic-table"
> default-entity-name="contentAssocX">
> <actions>
> - <entity-one entity-name="ContentAssoc" use-cache="true">
> + <entity-one entity-name="ContentAssoc" use-cache="true"
> value-field="contentAssoc">
> <field-map field-name="contentId" from-field="contentId"/>
> <field-map field-name="contentIdTo"
> from-field="contentIdTo"/>
> <field-map field-name="contentAssocTypeId" from-field="
> contentAssocTypeId"/>
>
> Modified: ofbiz/trunk/applications/product/template/Main.ftl
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
> product/template/Main.ftl?rev=1781366&r1=1781365&r2=1781366&view=diff
> ============================================================
> ==================
> --- ofbiz/trunk/applications/product/template/Main.ftl (original)
> +++ ofbiz/trunk/applications/product/template/Main.ftl Thu Feb 2
> 10:33:59 2017
> @@ -29,6 +29,8 @@ under the License.
> </form>
> <div class="label">${uiLabelMap.CommonOr}: <a href="<@o...@ofbizUrl>"
> class="buttontext">${uiLabelMap.ProductCreateNewCatalog}</a></div>
> <br />
> +<p>Output format: ${.output_format}
> +<p>Auto-escaping: ${.auto_esc?c}
> <div class="label">${uiLabelMap.ProductEditCategoryWithCategor
> yId}:</div>
> <form method="post" action="<@o...@ofbizUrl>"
> style="margin: 0;" name="EditCategoryForm">
> <@htmlTemplate.lookupField name="productCategoryId"
> id="productCategoryId" formName="EditCategoryForm" fieldFormName="
> LookupProductCategory"/>
>
> Modified: ofbiz/trunk/applications/product/template/store/
> EditProductStoreWebSites.ftl
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
> product/template/store/EditProductStoreWebSites.ftl?
> rev=1781366&r1=1781365&r2=1781366&view=diff
> ============================================================
> ==================
> --- ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl
> (original)
> +++ ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl
> Thu Feb 2 10:33:59 2017
> @@ -37,12 +37,7 @@ under the License.
> <td>${webSite.httpHost?default(' ')}</td>
> <td>${webSite.httpPort?default(' ')}</td>
> <td align="center">
> - <a href="javascript:document.
> storeUpdateWebSite_${webSite_index}.submit();" class="buttontext">${
> uiLabelMap.CommonDelete}</a>
> - <form name="storeUpdateWebSite_${webSite_index}"
> method="post" action="<@o...@ofbizUrl>">
> - <input type="hidden" name="viewProductStoreId"
> value="${productStoreId}"/>
> - <input type="hidden" name="productStoreId"
> value=""/>
> - <input type="hidden" name="webSiteId"
> value="${webSite.webSiteId}"/>
> - </form>
> + <a href="<@ofbizUrl>storeUpdateWebSite?
> viewProductStoreId=${productStoreId}&productStoreId=&webSiteId=${
> webSite.webSiteId}</...@ofbizUrl>" class="buttontext">${
> uiLabelMap.CommonDelete}</a>
> </td>
> </tr>
> <#-- toggle the row color -->
>
> Added: ofbiz/trunk/applications/product/webapp/catalog/WEB-
> INF/Owasp.CsrfGuard.js
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
> product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js?rev=1781366&view=auto
> ============================================================
> ==================
> --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
> (added)
> +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
> Thu Feb 2 10:33:59 2017
> @@ -0,0 +1,447 @@
> +/**
> + * The OWASP CSRFGuard Project, BSD License
> + * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011
> + * All rights reserved.
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions are
> met:
> + *
> + * 1. Redistributions of source code must retain the above copyright
> notice,
> + * this list of conditions and the following disclaimer.
> + * 2. Redistributions in binary form must reproduce the above copyright
> + * notice, this list of conditions and the following disclaimer in
> the
> + * documentation and/or other materials provided with the
> distribution.
> + * 3. Neither the name of OWASP nor the names of its contributors may
> be used
> + * to endorse or promote products derived from this software
> without specific
> + * prior written permission.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> "AS IS"
> + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
> THE
> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
> PURPOSE
> + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
> BE LIABLE
> + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
> CONSEQUENTIAL DAMAGES
> + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
> SERVICES;
> + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
> CAUSED AND ON
> + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> OF THIS
> + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> + */
> +(function() {
> + /**
> + * Code to ensure our event always gets triggered when the DOM is
> updated.
> + * @param obj
> + * @param type
> + * @param fn
> + * @source http://www.dustindiaz.com/rock-solid-addevent/
> + */
> + function addEvent( obj, type, fn ) {
> + if (obj.addEventListener) {
> + obj.addEventListener( type, fn, false );
> + EventCache.add(obj, type, fn);
> + }
> + else if (obj.attachEvent) {
> + obj["e"+type+fn] = fn;
> + obj[type+fn] = function() { obj["e"+type+fn]( window.event );
> }
> + obj.attachEvent( "on"+type, obj[type+fn] );
> + EventCache.add(obj, type, fn);
> + }
> + else {
> + obj["on"+type] = obj["e"+type+fn];
> + }
> + }
> +
> + var EventCache = function(){
> + var listEvents = [];
> + return {
> + listEvents : listEvents,
> + add : function(node, sEventName, fHandler){
> + listEvents.push(arguments);
> + },
> + flush : function(){
> + var i, item;
> + for(i = listEvents.length - 1; i >= 0; i = i - 1){
> + item = listEvents[i];
> + if(item[0].removeEventListener){
> + item[0].removeEventListener(item[1], item[2],
> item[3]);
> + };
> + if(item[1].substring(0, 2) != "on"){
> + item[1] = "on" + item[1];
> + };
> + if(item[0].detachEvent){
> + item[0].detachEvent(item[1], item[2]);
> + };
> + };
> + }
> + };
> + }();
> +
> + /** string utility functions **/
> + String.prototype.startsWith = function(prefix) {
> + return this.indexOf(prefix) === 0;
> + };
> +
> + String.prototype.endsWith = function(suffix) {
> + return this.match(suffix+"$") == suffix;
> + };
> +
> + /** hook using standards based prototype **/
> + function hijackStandard() {
> + XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;
> + XMLHttpRequest.prototype.open = function(method, url, async,
> user, pass) {
> + this.url = url;
> +
> + this._open.apply(this, arguments);
> + };
> +
> + XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;
> + XMLHttpRequest.prototype.send = function(data) {
> + if(this.onsend != null) {
> + this.onsend.apply(this, arguments);
> + }
> +
> + this._send.apply(this, arguments);
> + };
> + }
> +
> + /** ie does not properly support prototype - wrap completely **/
> + function hijackExplorer() {
> + var _XMLHttpRequest = window.XMLHttpRequest;
> +
> + function alloc_XMLHttpRequest() {
> + this.base = _XMLHttpRequest ? new _XMLHttpRequest : new
> window.ActiveXObject("Microsoft.XMLHTTP");
> + }
> +
> + function init_XMLHttpRequest() {
> + return new alloc_XMLHttpRequest;
> + }
> +
> + init_XMLHttpRequest.prototype = alloc_XMLHttpRequest.prototype;
> +
> + /** constants **/
> + init_XMLHttpRequest.UNSENT = 0;
> + init_XMLHttpRequest.OPENED = 1;
> + init_XMLHttpRequest.HEADERS_RECEIVED = 2;
> + init_XMLHttpRequest.LOADING = 3;
> + init_XMLHttpRequest.DONE = 4;
> +
> + /** properties **/
> + init_XMLHttpRequest.prototype.status = 0;
> + init_XMLHttpRequest.prototype.statusText = "";
> + init_XMLHttpRequest.prototype.readyState =
> init_XMLHttpRequest.UNSENT;
> + init_XMLHttpRequest.prototype.responseText = "";
> + init_XMLHttpRequest.prototype.responseXML = null;
> + init_XMLHttpRequest.prototype.onsend = null;
> +
> + init_XMLHttpRequest.url = null;
> + init_XMLHttpRequest.onreadystatechange = null;
> +
> + /** methods **/
> + init_XMLHttpRequest.prototype.open = function(method, url,
> async, user, pass) {
> + var self = this;
> + this.url = url;
> +
> + this.base.onreadystatechange = function() {
> + try { self.status = self.base.status; } catch (e) { }
> + try { self.statusText = self.base.statusText; } catch (e)
> { }
> + try { self.readyState = self.base.readyState; } catch (e)
> { }
> + try { self.responseText = self.base.responseText; }
> catch(e) { }
> + try { self.responseXML = self.base.responseXML; }
> catch(e) { }
> +
> + if(self.onreadystatechange != null) {
> + self.onreadystatechange.apply(this, arguments);
> + }
> + }
> +
> + this.base.open(method, url, async, user, pass);
> + };
> +
> + init_XMLHttpRequest.prototype.send = function(data) {
> + if(this.onsend != null) {
> + this.onsend.apply(this, arguments);
> + }
> +
> + this.base.send(data);
> + };
> +
> + init_XMLHttpRequest.prototype.abort = function() {
> + this.base.abort();
> + };
> +
> + init_XMLHttpRequest.prototype.getAllResponseHeaders = function()
> {
> + return this.base.getAllResponseHeaders();
> + };
> +
> + init_XMLHttpRequest.prototype.getResponseHeader = function(name)
> {
> + return this.base.getResponseHeader(name);
> + };
> +
> + init_XMLHttpRequest.prototype.setRequestHeader = function(name,
> value) {
> + return this.base.setRequestHeader(name, value);
> + };
> +
> + /** hook **/
> + window.XMLHttpRequest = init_XMLHttpRequest;
> + }
> +
> + /** check if valid domain based on domainStrict **/
> + function isValidDomain(current, target) {
> + var result = false;
> +
> + /** check exact or subdomain match **/
> + if(current == target) {
> + result = true;
> + } else if(%DOMAIN_STRICT% == false) {
> + if(target.charAt(0) == '.') {
> + result = current.endsWith(target);
> + } else {
> + result = current.endsWith('.' + target);
> + }
> + }
> +
> + return result;
> + }
> +
> + /** determine if uri/url points to valid domain **/
> + function isValidUrl(src) {
> + var result = false;
> +
> + /** parse out domain to make sure it points to our own **/
> + if(src.substring(0, 7) == "http://" || src.substring(0, 8) ==
> "https://") {
> + var token = "://";
> + var index = src.indexOf(token);
> + var part = src.substring(index + token.length);
> + var domain = "";
> +
> + /** parse up to end, first slash, or anchor **/
> + for(var i=0; i<part.length; i++) {
> + var character = part.charAt(i);
> +
> + if(character == '/' || character == ':' || character ==
> '#') {
> + break;
> + } else {
> + domain += character;
> + }
> + }
> +
> + result = isValidDomain(document.domain, domain);
> + /** explicitly skip anchors **/
> + } else if(src.charAt(0) == '#') {
> + result = false;
> + /** ensure it is a local resource without a protocol **/
> + } else if(!src.startsWith("//") && (src.charAt(0) == '/' ||
> src.indexOf(':') == -1)) {
> + result = true;
> + }
> +
> + return result;
> + }
> +
> + /** parse uri from url **/
> + function parseUri(url) {
> + var uri = "";
> + var token = "://";
> + var index = url.indexOf(token);
> + var part = "";
> +
> + /**
> + * ensure to skip protocol and prepend context path for
> non-qualified
> + * resources (ex: "protect.html" vs
> + * "/Owasp.CsrfGuard.Test/protect.html").
> + */
> + if(index > 0) {
> + part = url.substring(index + token.length);
> + } else if(url.charAt(0) != '/') {
> + part = "%CONTEXT_PATH%/" + url;
> + } else {
> + part = url;
> + }
> +
> + /** parse up to end or query string **/
> + var uriContext = (index == -1);
> +
> + for(var i=0; i<part.length; i++) {
> + var character = part.charAt(i);
> +
> + if(character == '/') {
> + uriContext = true;
> + } else if(uriContext == true && (character == '?' ||
> character == '#')) {
> + uriContext = false;
> + break;
> + }
> +
> + if(uriContext == true) {
> + uri += character;
> + }
> + }
> +
> + return uri;
> + }
> +
> + /** inject tokens as hidden fields into forms **/
> + function injectTokenForm(form, tokenName, tokenValue,
> pageTokens,injectGetForms) {
> +
> + if (!injectGetForms) {
> + var method = form.getAttribute("method");
> +
> + if ((typeof method != 'undefined') && method != null &&
> method.toLowerCase() == "get") {
> + return;
> + }
> + }
> +
> + var value = tokenValue;
> + var action = form.getAttribute("action");
> +
> + if(action != null && isValidUrl(action)) {
> + var uri = parseUri(action);
> + value = pageTokens[uri] != null ? pageTokens[uri] :
> tokenValue;
> + }
> +
> + var hidden = document.createElement("input");
> +
> + hidden.setAttribute("type", "hidden");
> + hidden.setAttribute("name", tokenName);
> + hidden.setAttribute("value", value);
> +
> + form.appendChild(hidden);
> + }
> +
> + /** inject tokens as query string parameters into url **/
> + function injectTokenAttribute(element, attr, tokenName, tokenValue,
> pageTokens) {
> + var location = element.getAttribute(attr);
> +
> + if(location != null && isValidUrl(location)) {
> + var uri = parseUri(location);
> + var value = (pageTokens[uri] != null ? pageTokens[uri] :
> tokenValue);
> +
> + if(location.indexOf('?') != -1) {
> + location = location + '&' + tokenName + '=' + value;
> + } else {
> + location = location + '?' + tokenName + '=' + value;
> + }
> +
> + try {
> + element.setAttribute(attr, location);
> + } catch (e) {
> + // attempted to set/update unsupported attribute
> + }
> + }
> + }
> +
> + /** inject csrf prevention tokens throughout dom **/
> + function injectTokens(tokenName, tokenValue) {
> + /** obtain reference to page tokens if enabled **/
> + var pageTokens = {};
> +
> + if(%TOKENS_PER_PAGE% == true) {
> + pageTokens = requestPageTokens();
> + }
> +
> + /** iterate over all elements and injection token **/
> + var all = document.all ? document.all :
> document.getElementsByTagName('*');
> + var len = all.length;
> +
> + //these are read from the csrf guard config file(s)
> + var injectForms = %INJECT_FORMS%;
> + var injectGetForms = %INJECT_GET_FORMS%;
> + var injectFormAttributes = %INJECT_FORM_ATTRIBUTES%;
> + var injectAttributes = %INJECT_ATTRIBUTES%;
> +
> + for(var i=0; i<len; i++) {
> + var element = all[i];
> +
> + /** inject into form **/
> + if(element.tagName.toLowerCase() == "form") {
> + if(injectForms) {
> + injectTokenForm(element, tokenName, tokenValue,
> pageTokens,injectGetForms);
> + }
> + if (injectFormAttributes) {
> + injectTokenAttribute(element, "action", tokenName,
> tokenValue, pageTokens);
> + }
> + /** inject into attribute **/
> + } else if(injectAttributes) {
> + injectTokenAttribute(element, "src", tokenName,
> tokenValue, pageTokens);
> + injectTokenAttribute(element, "href", tokenName,
> tokenValue, pageTokens);
> + }
> + }
> + }
> +
> + /** obtain array of page specific tokens **/
> + function requestPageTokens() {
> + var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new
> window.ActiveXObject("Microsoft.XMLHTTP");
> + var pageTokens = {};
> +
> + xhr.open("POST", "%SERVLET_PATH%", false);
> + xhr.send(null);
> +
> + var text = xhr.responseText;
> + var name = "";
> + var value = "";
> + var nameContext = true;
> +
> + for(var i=0; i<text.length; i++) {
> + var character = text.charAt(i);
> +
> + if(character == ':') {
> + nameContext = false;
> + } else if(character != ',') {
> + if(nameContext == true) {
> + name += character;
> + } else {
> + value += character;
> + }
> + }
> +
> + if(character == ',' || (i + 1) >= text.length) {
> + pageTokens[name] = value;
> + name = "";
> + value = "";
> + nameContext = true;
> + }
> + }
> +
> + return pageTokens;
> + }
> +
> + /**
> + * Only inject the tokens if the JavaScript was referenced from HTML
> that
> + * was served by us. Otherwise, the code was referenced from
> malicious HTML
> + * which may be trying to steal tokens using JavaScript hijacking
> techniques.
> + * The token is now removed and fetched using another POST request to
> solve,
> + * the token hijacking problem.
> + */
> + if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {
> + /** optionally include Ajax support **/
> + if(%INJECT_XHR% == true) {
> + if(navigator.appName == "Microsoft Internet Explorer") {
> + hijackExplorer();
> + } else {
> + hijackStandard();
> + }
> +
> + var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new
> window.ActiveXObject("Microsoft.XMLHTTP");
> + var csrfToken = {};
> + xhr.open("POST", "%SERVLET_PATH%", false);
> + xhr.setRequestHeader("FETCH-CSRF-TOKEN", "1");
> + xhr.send(null);
> +
> + var token_pair = xhr.responseText;
> + token_pair = token_pair.split(":");
> + var token_name = token_pair[0];
> + var token_value = token_pair[1];
> +
> + XMLHttpRequest.prototype.onsend = function(data) {
> + if(isValidUrl(this.url)) {
> + this.setRequestHeader("X-Requested-With",
> "XMLHttpRequest")
> + this.setRequestHeader(token_name, token_value);
> + }
> + };
> + }
> +
> + /** update nodes in DOM after load **/
> + addEvent(window,'unload',EventCache.flush);
> + addEvent(window,'DOMContentLoaded', function() {
> + injectTokens(token_name, token_value);
> + });
> + } else {
> + alert("OWASP CSRFGuard JavaScript was included from within an
> unauthorized domain!");
> + }
> +})();
>
> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
> INF/Owasp.CsrfGuard.js
> ------------------------------------------------------------
> ------------------
> svn:eol-style = native
>
> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
> INF/Owasp.CsrfGuard.js
> ------------------------------------------------------------
> ------------------
> svn:keywords = Date Rev Author URL Id
>
> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
> INF/Owasp.CsrfGuard.js
> ------------------------------------------------------------
> ------------------
> svn:mime-type = text/plain
>
> Added: ofbiz/trunk/applications/product/webapp/catalog/WEB-
> INF/Owasp.CsrfGuard.properties
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
> product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.
> properties?rev=1781366&view=auto
> ============================================================
> ==================
> --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
> (added)
> +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
> Thu Feb 2 10:33:59 2017
> @@ -0,0 +1,417 @@
> +# The OWASP CSRFGuard Project, BSD License
> +# Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011
> +# All rights reserved.
> +#
> +# Redistribution and use in source and binary forms, with or without
> +# modification, are permitted provided that the following conditions are
> met:
> +#
> +# 1. Redistributions of source code must retain the above copyright
> notice,
> +# this list of conditions and the following disclaimer.
> +# 2. Redistributions in binary form must reproduce the above copyright
> +# notice, this list of conditions and the following disclaimer in the
> +# documentation and/or other materials provided with the distribution.
> +# 3. Neither the name of OWASP nor the names of its contributors may be
> used
> +# to endorse or promote products derived from this software without
> specific
> +# prior written permission.
> +#
> +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
> IS"
> +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
> THE
> +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
> PURPOSE
> +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
> BE LIABLE
> +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
> CONSEQUENTIAL DAMAGES
> +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
> SERVICES;
> +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
> AND ON
> +# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> OF THIS
> +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> +
> +# From: https://github.com/esheri3/OWASP-CSRFGuard/blob/master/
> csrfguard-test/src/main/webapp/WEB-INF/csrfguard.properties
> +
> +# Common substitutions
> +# %servletContext% is the servlet context (e.g. the configured app
> prefix or war file name, or blank.
> +# e.g. if you deploy a default warfile as someApp.war, then
> %servletContext% will be /someApp
> +# if there isnt a context it will be the empty string. So to use this in
> the configuration, use e.g. %servletContext%/something.html
> +# which will translate to e.g. /someApp/something.html
> +
> +# Logger
> +#
> +# The logger property (org.owasp.csrfguard.Logger) defines the qualified
> class name of
> +# the object responsible for processing all log messages produced by
> CSRFGuard. The default
> +# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class
> logs all messages
> +# to System.out which JavaEE application servers redirect to a vendor
> specific log file.
> +# Developers can customize the logging behavior of CSRFGuard by
> implementing the
> +# org.owasp.csrfguard.log.ILogger interface and setting the logger
> property to the new
> +# logger's qualified class name. The following configuration snippet
> instructs OWASP CSRFGuard
> +# to capture all log messages to the console:
> +#
> +# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
> +org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
> +
> +# Which configuration provider factory you want to use. The default is
> org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory
> +# Another configuration provider has more features including config
> overlays: org.owasp.csrfguard.config.overlay.
> ConfigurationOverlayProviderFactory
> +# The default configuration provider is: org.owasp.csrfguard.config.
> overlay.ConfigurationAutodetectProviderFactory
> +# which will look for an overlay file, it is there, and the factory
> inside that file is set it will use it, otherwise will be
> PropertiesConfigurationProviderFactory
> +# it needs to implement org.owasp.csrfguard.config.
> ConfigurationProviderFactory
> +org.owasp.csrfguard.configuration.provider.factory =
> org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
> +
> +
> +# If csrfguard filter is enabled
> +org.owasp.csrfguard.Enabled = false
> +
> +# If csrf guard filter should check even if there is no session for the
> user
> +# Note: this changed around 2014/04, the default behavior used to be to
> +# not check if there is no session. If you want the legacy behavior (if
> your app
> +# is not susceptible to CSRF if the user has no session), set this to
> false
> +org.owasp.csrfguard.ValidateWhenNoSessionExists = true
> +
> +# New Token Landing Page
> +#
> +# The new token landing page property (org.owasp.csrfguard.NewTokenLandingPage)
> defines where
> +# to send a user if the token is being generated for the first time, and
> the use new token landing
> +# page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage)
> determines if any redirect happens.
> +# UseNewTokenLandingPage defaults to false if NewTokenLandingPage is not
> specified, and to true
> +# if it is specified.. If UseNewTokenLandingPage is set true then this
> request is generated
> +# using auto-posting forms and will only contain the CSRF prevention
> token parameter, if
> +# applicable. All query-string or form parameters sent with the original
> request will be
> +# discarded. If this property is not defined, CSRFGuard will instead
> auto-post the user to the
> +# original context and servlet path. The following configuration snippet
> instructs OWASP CSRFGuard to
> +# redirect the user to %servletContext%/index.html when the user visits a
> protected resource
> +# without having a corresponding CSRF token present in the HttpSession
> object:
> +#
> +org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/control/login/*
> +
> +# Protected Methods
> +#
> +# The protected methods property (org.owasp.csrfguard.ProtectedMethods)
> defines a comma
> +# separated list of HTTP request methods that should be protected by
> CSRFGuard. The default
> +# list is an empty list which will cause all HTTP methods to be
> protected, thus preserving
> +# legacy behavior. This setting allows the user to inform CSRFGuard that
> only requests of the
> +# given types should be considered for protection. All HTTP methods not
> in the list will be
> +# considered safe (i.e. view only / unable to modify data). This should
> be used only when the
> +# user has concrete knowledge that all requests made via methods not in
> the list
> +# are safe (i.e. do not apply an action to any data) since it can
> actually introduce new
> +# security vulnerabilities. For example: the user thinks that all
> actionable requests are
> +# only available by POST requests when in fact some are available via GET
> requests. If the
> +# user has excluded GET requests from the list then they have introduced
> a vulnerability.
> +# The following configuration snippet instructs OWASP CSRFGuard to
> protect only the POST,
> +# PUT, and DELETE HTTP methods.
> +#
> +# org.owasp.csrfguard.ProtectedMethods=POST,PUT,DELETE
> +
> +# or you can configure all to be protected, and specify which is
> unprotected. This is the preferred approach
> +
> +# org.owasp.csrfguard.UnprotectedMethods=GET
> +
> +# Unique Per-Page Tokens
> +#
> +# The unique token per-page property (org.owasp.csrfguard.TokenPerPage)
> is a boolean value that
> +# determines if CSRFGuard should make use of unique per-page (i.e. URI)
> prevention tokens as
> +# opposed to unique per-session prevention tokens. When a user requests a
> protected resource,
> +# CSRFGuard will determine if a page specific token has been previously
> generated. If a page
> +# specific token has not yet been previously generated, CSRFGuard will
> verify the request was
> +# submitted with the per-session token intact. After verifying the
> presence of the per-session token,
> +# CSRFGuard will create a page specific token that is required for all
> subsequent requests to the
> +# associated resource. The per-session CSRF token can only be used when
> requesting a resource for
> +# the first time. All subsequent requests must have the per-page token
> intact or the request will
> +# be treated as a CSRF attack. This behavior can be changed with the
> org.owasp.csrfguard.TokenPerPagePrecreate
> +# property. Enabling this property will make CSRFGuard calculate the per
> page token prior to a first
> +# visit. This option only works with JSTL token injection and is useful
> for preserving the validity of
> +# links if the user pushes the back button. There may be a performance
> impact when enabling this option
> +# if the .jsp has a large number of proctected links that need tokens to
> be calculated.
> +# Use of the unique token per page property is currently experimental
> +# but provides a significant amount of improved security. Consider the
> exposure of a CSRF token using
> +# the legacy unique per-session model. Exposure of this token facilitates
> the attacker's ability to
> +# carry out a CSRF attack against the victim's active session for any
> resource exposed by the web
> +# application. Now consider the exposure of a CSRF token using the
> experimental unique token per-page
> +# model. Exposure of this token would only allow the attacker to carry
> out a CSRF attack against the
> +# victim's active session for a small subset of resources exposed by the
> web application. Use of the
> +# unique token per-page property is a strong defense in depth strategy
> significantly reducing the
> +# impact of exposed CSRF prevention tokens. The following configuration
> snippet instructs OWASP
> +# CSRFGuard to utilize the unique token per-page model:
> +#
> +# org.owasp.csrfguard.TokenPerPage=true
> +# org.owasp.csrfguard.TokenPerPagePrecreate=false
> +org.owasp.csrfguard.TokenPerPage=true
> +org.owasp.csrfguard.TokenPerPagePrecreate=false
> +
> +# Token Rotation
> +#
> +# The rotate token property (org.owasp.csrfguard.Rotate) is a boolean
> value that determines if
> +# CSRFGuard should generate and utilize a new token after verifying the
> previous token. Rotation
> +# helps minimize the window of opportunity an attacker has to leverage
> the victim's stolen token
> +# in a targeted CSRF attack. However, this functionality generally causes
> navigation problems in
> +# most applications. Specifically, the 'Back' button in the browser will
> often cease to function
> +# properly. When a user hits the 'Back' button and interacts with the
> HTML, the browser may submit
> +# an old token causing CSRFGuard to incorrectly believe this request is a
> CSRF attack in progress
> +# (i.e. a 'false positive'). Users can prevent this scenario by
> preventing the caching of HTML pages
> +# containing FORM submissions using the cache-control header. However,
> this may also introduce
> +# performance problems as the browser will have to request HTML on a more
> frequent basis. The following
> +# configuration snippet enables token rotation:
> +#
> +# org.owasp.csrfguard.Rotate=true
> +
> +# Ajax and XMLHttpRequest Support
> +#
> +# The Ajax property (org.owasp.csrfguard.Ajax) is a boolean value that
> indicates whether or not OWASP
> +# CSRFGuard should support the injection and verification of unique
> per-session prevention tokens for
> +# XMLHttpRequests. To leverage Ajax support, the user must not only set
> this property to true but must
> +# also reference the JavaScript DOM Manipulation code using a script
> element. This dynamic script will
> +# override the send method of the XMLHttpRequest object to ensure the
> submission of an X-Requested-With
> +# header name value pair coupled with the submission of a custom header
> name value pair for each request.
> +# The name of the custom header is the value of the token name property
> and the value of the header is
> +# always the unique per-session token value. This custom header is
> analogous to the HTTP parameter name
> +# value pairs submitted via traditional GET and POST requests. If the
> X-Requested-With header was sent
> +# in the HTTP request, then CSRFGuard will look for the presence and
> ensure the validity of the unique
> +# per-session token in the custom header name value pair. Note that
> verification of these headers takes
> +# precedence over verification of the CSRF token supplied as an HTTP
> parameter. More specifically,
> +# CSRFGuard does not verify the presence of the CSRF token if the Ajax
> support property is enabled and
> +# the corresponding X-Requested-With and custom headers are embedded
> within the request. The following
> +# configuration snippet instructs OWASP CSRFGuard to support Ajax
> requests by verifying the presence and
> +# correctness of the X-Requested-With and custom headers:
> +#
> +# org.owasp.csrfguard.Ajax=true
> +org.owasp.csrfguard.Ajax=true
> +
> +# The default behavior of CSRFGuard is to protect all pages. Pages marked
> as unprotected will not be protected.
> +# If the Protect property is enabled, this behavior is reversed. Pages
> must be marked as protected to be protected.
> +# All other pages will not be protected. This is useful when the
> CsrfGuardFilter is aggressively mapped (ex: /*),
> +# but you only want to protect a few pages.
> +#
> +# org.owasp.csrfguard.Protect=true
> +
> +# Unprotected Pages:
> +#
> +# The unprotected pages property (org.owasp.csrfguard.unprotected.*)
> defines a series of pages that
> +# should not be protected by CSRFGuard. Such configurations are useful
> when the CsrfGuardFilter is
> +# aggressively mapped (ex: /*). The syntax of the property name is
> org.owasp.csrfguard.unprotected.[PageName],
> +# where PageName is some arbitrary identifier that can be used to
> reference a resource. The syntax of
> +# defining the uri of unprotected pages is the same as the syntax used by
> the JavaEE container for uri mapping.
> +# Specifically, CSRFGuard will identify the first match (if any) between
> the requested uri and an unprotected
> +# page in order of declaration. Match criteria is as follows:
> +#
> +# Case 1: exact match between request uri and unprotected page
> +# Case 2: longest path prefix match, beginning / and ending /*
> +# Case 3: extension match, beginning *.
> +# Case 4: if the value starts with ^ and ends with $, it will be
> evaulated as a regex. Note that before the
> +# regex is compiled, any common variables will be substituted (e.g.
> %servletContext%)
> +# Default: requested resource must be validated by CSRFGuard
> +#
> +# The following code snippet illustrates the four use cases over four
> examples. The first two examples
> +# (Tag and JavaScriptServlet) look for direct URI matches. The third
> example (Html) looks for all resources
> +# ending in a .html extension. The next example (Public) looks for all
> resources prefixed with the URI path /MySite/Public/*.
> +# The last example looks for resources that end in Public.do
> +#
> +# org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
> +# org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/
> JavaScriptServlet
> +# org.owasp.csrfguard.unprotected.Html=*.html
> +# org.owasp.csrfguard.unprotected.Public=%servletContext%/Public/*
> +# regex example starts with ^ and ends with $, and the %servletContext%
> is evaluated before the regex
> +# org.owasp.csrfguard.unprotected.PublicServlet=^%
> servletContext%/.*Public\.do$
> +
> +#org.owasp.csrfguard.unprotected.Default=%servletContext%/
> +#org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html
> +org.owasp.csrfguard.unprotected.JavaScriptServlet=
> %servletContext%/control/JavaScriptServlet
> +#org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html
> +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html
> +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.jsp
> +#org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html
> +#org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript.
> html
> +#org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
> +#org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp
> +#org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp
> +#org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp
> +org.owasp.csrfguard.unprotected.Session=%servletContext%/favicon.ico
> +org.owasp.csrfguard.unprotected.Session=%servletContext%/control/login/*
> +org.owasp.csrfguard.unprotected.Index=%servletContext%/index.jsp
> +
> +# Actions: Responding to Attacks
> +#
> +# The actions directive (org.owasp.csrfguard.action.*) gives the user the
> ability to specify one or more
> +# actions that should be invoked when a CSRF attack is detected. Every
> action must implement the
> +# org.owasp.csrfguard.action.IAction interface either directly or
> indirectly through the
> +# org.owasp.csrfguard.action.AbstractAction helper class. Many actions
> accept parameters that can be specified
> +# along with the action class declaration. These parameters are consumed
> at runtime and impact the behavior of
> +# the associated action.
> +#
> +# The syntax for defining and configuring CSRFGuard actions is relatively
> straight forward. Let us assume we wish
> +# to redirect the user to a default page when a CSRF attack is detected.
> A redirect action already exists within
> +# the CSRFGuard bundle and is available via the class name
> org.owasp.csrfguard.actions.Redirect. In order to enable
> +# this action, we capture the following declaration in the
> Owasp.CsrfGuard.properties file:
> +#
> +# syntax: org.owasp.csrfguard.action.[actionName]=[className]
> +# example: org.owasp.csrfguard.action.class.Redirect=org.owasp.
> csrfguard.actions.Redirect
> +#
> +# The aforementioned directive declares an action called "Redirect" (i.e.
> [actionName]) referencing the Java class
> +# "org.owasp.csrfguard.actions.Redirect" (i.e. [className]). Anytime a
> CSRF attack is detected, the Redirect action
> +# will be executed. You may be asking yourself, "but how do I specify
> where the user is redirected?"; this is where
> +# action parameters come into play. In order to specify the redirect
> location, we capture the following declaration
> +# in the Owasp.CsrfGuard.properties file:
> +#
> +# syntax: org.owasp.csrfguard.action.[actionName].[parameterName]=[
> parameterValue]
> +# example: org.owasp.csrfguard.action.Redirect.ErrorPage=%
> servletContext%/error.html
> +#
> +# The aforementioned directive declares an action parameter called
> "ErrorPage" (i.e. [parameterName]) with the value
> +# of "%servletContext%/error.html" (i.e. [parameterValue]) for the action
> "Redirect" (i.e. [actionName]). The
> +# Redirect action expects the "ErrorPage" parameter to be defined and
> will redirect the user to this location when
> +# an attack is detected.
> +#
> +#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
> +org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
> +org.owasp.csrfguard.action.Log.Message=potential cross-site request
> forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%,
> method:%request_method%, uri:%request_uri%, error:%exception_message%)
> +#org.owasp.csrfguard.action.Invalidate=org.owasp.
> csrfguard.action.Invalidate
> +#org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
> +#org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html
> +#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.
> RequestAttribute
> +#org.owasp.csrfguard.action.RequestAttribute.
> AttributeName=Owasp_CsrfGuard_Exception_Key
> +#org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
> +org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.
> SessionAttribute
> +org.owasp.csrfguard.action.SessionAttribute.
> AttributeName=Owasp_CsrfGuard_Exception_Key
> +#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error
> +#org.owasp.csrfguard.action.Error.Code=403
> +#org.owasp.csrfguard.action.Error.Message=Security violation.
> +
> +# Token Name
> +#
> +# The token name property (org.owasp.csrfguard.TokenName) defines the
> name of the HTTP parameter
> +# to contain the value of the OWASP CSRFGuard token for each request. The
> following configuration
> +# snippet sets the CSRFGuard token parameter name to the value
> OWASP_CSRFTOKEN:
> +#
> +# org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
> +org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
> +
> +# Session Key
> +#
> +# The session key property (org.owasp.csrfguard.SessionKey) defines the
> string literal used to save
> +# and lookup the CSRFGuard token from the session. This value is used by
> the filter and the tag
> +# libraries to retrieve and set the token value in the session.
> Developers can use this key to
> +# programmatically lookup the token within their own code. The following
> configuration snippet sets
> +# the session key to the value OWASP_CSRFTOKEN:
> +#
> +# org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
> +org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
> +
> +# Token Length
> +#
> +# The token length property (org.owasp.csrfguard.TokenLength) defines
> the number of characters that
> +# should be found within the CSRFGuard token. Note that characters are
> delimited by dashes (-) in groups
> +# of four. For cosmetic reasons, users are encourage to ensure the token
> length is divisible by four.
> +# The following configuration snippet sets the token length property to
> 32 characters:
> +#
> +# org.owasp.csrfguard.TokenLength=32
> +org.owasp.csrfguard.TokenLength=32
> +
> +# Pseudo-random Number Generator
> +#
> +# The pseudo-random number generator property (org.owasp.csrfguard.PRNG)
> defines what PRNG should be used
> +# to generate the OWASP CSRFGuard token. Always ensure this value
> references a cryptographically strong
> +# pseudo-random number generator algorithm. The following configuration
> snippet sets the pseudo-random number
> +# generator to SHA1PRNG:
> +#
> +# org.owasp.csrfguard.PRNG=SHA1PRNG
> +org.owasp.csrfguard.PRNG=SHA1PRNG
> +
> +# Pseudo-random Number Generator Provider
> +
> +# The pseudo-random number generator provider property
> (org.owasp.csrfguard.PRNG.Provider) defines which
> +# provider's implementation of org.owasp.csrfguard.PRNG we should
> utilize. The following configuration
> +# snippet instructs the JVM to leverage SUN's implementation of the
> algorithm denoted by the
> +# org.owasp.csrfguard.PRNG property:
> +
> +# org.owasp.csrfguard.PRNG.Provider=SUN
> +org.owasp.csrfguard.PRNG.Provider=SUN
> +
> +# If not specifying the print config option in the web.xml, you can
> specify it here, to print the config
> +# on startup
> +org.owasp.csrfguard.Config.Print = true
> +
> +###########################
> +## Javascript servlet settings if not set in web.xml
> +## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
> +###########################
> +
> +# leave this blank and blank in web.xml and it will read from
> META-INF/csrfguard.js from the jarfile
> +# Denotes the location of the JavaScript template file that should be
> consumed and dynamically
> +# augmented by the JavaScriptServlet class. The default value is
> WEB-INF/Owasp.CsrfGuard.js.
> +# Use of this property and the existence of the specified template file
> is required.
> +#org.owasp.csrfguard.JavascriptServlet.sourceFile =
> WEB-INF/Owasp.CsrfGuard.js
> +org.owasp.csrfguard.JavascriptServlet.sourceFile =
> WEB-INF/Owasp.CsrfGuard.js
> +
> +# Boolean value that determines whether or not the dynamic JavaScript
> code should be strict
> +# with regards to what links it should inject the CSRF prevention token.
> With a value of true,
> +# the JavaScript code will only place the token in links that point to
> the same exact domain
> +# from which the HTML originated. With a value of false, the JavaScript
> code will place the
> +# token in links that not only point to the same exact domain from which
> the HTML originated,
> +# but sub-domains as well.
> +org.owasp.csrfguard.JavascriptServlet.domainStrict = true
> +
> +# Allows the developer to specify the value of the Cache-Control header
> in the HTTP response
> +# when serving the dynamic JavaScript file. The default value is private,
> maxage=28800.
> +# Caching of the dynamic JavaScript file is intended to minimize traffic
> and improve performance.
> +# Note that the Cache-Control header is always set to "no-store" when
> either the "Rotate"
> +# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties.
> +org.owasp.csrfguard.JavascriptServlet.cacheControl = private,
> maxage=28800
> +
> +# Allows the developer to specify a regular expression describing the
> required value of the
> +# Referer header. Any attempts to access the servlet with a Referer
> header that does not
> +# match the captured expression is discarded. Inclusion of referer header
> checking is to
> +# help minimize the risk of JavaScript Hijacking attacks that attempt to
> steal tokens from
> +# the dynamically generated JavaScript. While the primary defenses
> against JavaScript
> +# Hijacking attacks are implemented within the dynamic JavaScript itself,
> referer header
> +# checking is implemented to achieve defense in depth.
> +org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
> +
> +# Similar to javascript servlet referer pattern, but this will make sure
> the referer of the
> +# javascript servlet matches the domain of the request. If there is no
> referer (proxy strips it?)
> +# then it will not fail. Generally this is a good idea to be true.
> +org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
> +
> +# Boolean value that determines whether or not the dynamic JavaScript
> code should
> +# inject the CSRF prevention token as a hidden field into HTML forms. The
> default
> +# value is true. Developers are strongly discouraged from disabling this
> property
> +# as most server-side state changing actions are triggered via a POST
> request.
> +org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
> +
> +# if the token should be injected in GET forms (which will be on the URL)
> +# if the HTTP method GET is unprotected, then this should likely be false
> +org.owasp.csrfguard.JavascriptServlet.injectGetForms = true
> +
> +# if the token should be injected in the action in forms
> +# note, if injectIntoForms is true, then this might not need to be true
> +org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
> +
> +
> +# Boolean value that determines whether or not the dynamic JavaScript
> code should
> +# inject the CSRF prevention token in the query string of src and href
> attributes.
> +# Injecting the CSRF prevention token in a URL resource increases its
> general risk
> +# of exposure to unauthorized parties. However, most JavaEE web
> applications respond
> +# in the exact same manner to HTTP requests and their associated
> parameters regardless
> +# of the HTTP method. The risk associated with not protecting GET
> requests in this
> +# situation is perceived greater than the risk of exposing the token in
> protected GET
> +# requests. As a result, the default value of this attribute is set to
> true. Developers
> +# that are confident their server-side state changing controllers will
> only respond to
> +# POST requests (i.e. discarding GET requests) are strongly encouraged to
> disable this property.
> +org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
> +
> +
> +org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard
> Project
> +
> +###########################
> +## Config overlay settings if you have the provider above set to
> ConfigurationOverlayProvider
> +## This CSRF config provider uses Internet2 Configuration Overlays
> (documented on Internet2 wiki)
> +## By default the configuration is read from the
> Owasp.CsrfGuard.properties
> +## (which should not be edited), and the Owasp.CsrfGuard.overlay.properties
> overlays
> +## the base settings. See the Owasp.CsrfGuard.properties for the possible
> +## settings that can be applied to the Owasp.CsrfGuard.overlay.properties
> +###########################
> +
> +# comma separated config files that override each other (files on the
> right override the left)
> +# each should start with file: or classpath:
> +# e.g. classpath:Owasp.CsrfGuard.properties,
> file:c:/temp/myFile.properties
> +org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properties,
> classpath:Owasp.CsrfGuard.overlay.properties
> +
> +# seconds between checking to see if the config files are updated
> +org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
> +
> +
> +###########################
> +
>
> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
> INF/Owasp.CsrfGuard.properties
> ------------------------------------------------------------
> ------------------
> svn:eol-style = native
>
> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
> INF/Owasp.CsrfGuard.properties
> ------------------------------------------------------------
> ------------------
> svn:keywords = Date Rev Author URL Id
>
> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
> INF/Owasp.CsrfGuard.properties
> ------------------------------------------------------------
> ------------------
> svn:mime-type = text/plain
>
>
>