You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jspwiki.apache.org by ju...@apache.org on 2022/07/14 18:00:02 UTC
[jspwiki] 01/07: Bring CSRF protection to group management JSPs
This is an automated email from the ASF dual-hosted git repository.
juanpablo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 1d9c4410d0c747b15e791b8b765284dfcfb66ed4
Author: Juan Pablo Santos RodrÃguez <ju...@gmail.com>
AuthorDate: Thu Jul 14 19:37:27 2022 +0200
Bring CSRF protection to group management JSPs
---
.../wiki/http/filter/CsrfProtectionFilter.java | 31 +++++++++++++++-------
jspwiki-war/src/main/webapp/DeleteGroup.jsp | 6 +++++
jspwiki-war/src/main/webapp/EditGroup.jsp | 15 ++++++-----
jspwiki-war/src/main/webapp/NewGroup.jsp | 5 ++++
4 files changed, 40 insertions(+), 17 deletions(-)
diff --git a/jspwiki-http/src/main/java/org/apache/wiki/http/filter/CsrfProtectionFilter.java b/jspwiki-http/src/main/java/org/apache/wiki/http/filter/CsrfProtectionFilter.java
index aed2ca8e4..808c3517c 100644
--- a/jspwiki-http/src/main/java/org/apache/wiki/http/filter/CsrfProtectionFilter.java
+++ b/jspwiki-http/src/main/java/org/apache/wiki/http/filter/CsrfProtectionFilter.java
@@ -13,8 +13,8 @@ import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
-import java.io.PrintWriter;
/**
@@ -36,25 +36,36 @@ public class CsrfProtectionFilter implements Filter {
/** {@inheritDoc} */
@Override
public void doFilter( final ServletRequest request, final ServletResponse response, final FilterChain chain ) throws IOException, ServletException {
- if( "POST".equalsIgnoreCase( ( ( HttpServletRequest ) request ).getMethod() ) ) {
+ if( isPost( ( HttpServletRequest ) request ) ) {
final Engine engine = Wiki.engine().find( request.getServletContext(), null );
final Session session = Wiki.session().find( engine, ( HttpServletRequest ) request );
- if( !session.antiCsrfToken().equals( request.getParameter( ANTICSRF_PARAM ) ) ) {
+ if( !requestContainsValidCsrfToken( request, session ) ) {
LOG.error( "Incorrect {} param with value '{}' received for {}",
ANTICSRF_PARAM, request.getParameter( ANTICSRF_PARAM ), ( ( HttpServletRequest ) request ).getPathInfo() );
- final PrintWriter out = response.getWriter();
- out.print("<!DOCTYPE html><html lang=\"en\"><head><title>Fatal problem with JSPWiki</title></head>");
- out.print("<body>");
- out.print("<h1>CSRF injection detected</h1>");
- out.print("<p>A CSRF injection has been detected, so the request has been stopped</p>");
- out.print("<p>Please check your system logs to pinpoint the request origin, someone's trying to mess with your installation.</p>");
- out.print("</body></html>");
+ ( ( HttpServletResponse ) response ).sendRedirect( "/error/Forbidden.html" );
return;
}
}
chain.doFilter( request, response );
}
+ public static boolean isCsrfProtectedPost( final HttpServletRequest request ) {
+ if( isPost( request ) ) {
+ final Engine engine = Wiki.engine().find( request.getServletContext(), null );
+ final Session session = Wiki.session().find( engine, request );
+ return requestContainsValidCsrfToken( request, session );
+ }
+ return false;
+ }
+
+ private static boolean requestContainsValidCsrfToken( final ServletRequest request, final Session session ) {
+ return session.antiCsrfToken().equals( request.getParameter( ANTICSRF_PARAM ) );
+ }
+
+ static boolean isPost( final HttpServletRequest request ) {
+ return "POST".equalsIgnoreCase( request.getMethod() );
+ }
+
/** {@inheritDoc} */
@Override
public void destroy() {
diff --git a/jspwiki-war/src/main/webapp/DeleteGroup.jsp b/jspwiki-war/src/main/webapp/DeleteGroup.jsp
index 17570bf38..275f6ccf5 100644
--- a/jspwiki-war/src/main/webapp/DeleteGroup.jsp
+++ b/jspwiki-war/src/main/webapp/DeleteGroup.jsp
@@ -25,6 +25,7 @@
<%@ page import="org.apache.wiki.auth.NoSuchPrincipalException" %>
<%@ page import="org.apache.wiki.auth.WikiSecurityException" %>
<%@ page import="org.apache.wiki.auth.authorize.GroupManager" %>
+<%@ page import="org.apache.wiki.http.filter.CsrfProtectionFilter" %>
<%@ page import="org.apache.wiki.preferences.Preferences" %>
<%@ page errorPage="/Error.jsp" %>
<%@ taglib uri="http://jspwiki.apache.org/tags" prefix="wiki" %>
@@ -50,6 +51,11 @@
response.sendRedirect( "Group.jsp" );
}
+ if( !CsrfProtectionFilter.isCsrfProtectedPost( request ) ) {
+ response.sendRedirect( "/error/Forbidden.html" );
+ return;
+ }
+
// Check that the group exists first
try
{
diff --git a/jspwiki-war/src/main/webapp/EditGroup.jsp b/jspwiki-war/src/main/webapp/EditGroup.jsp
index 72b1b322c..94277752a 100644
--- a/jspwiki-war/src/main/webapp/EditGroup.jsp
+++ b/jspwiki-war/src/main/webapp/EditGroup.jsp
@@ -25,6 +25,7 @@
<%@ page import="org.apache.wiki.auth.WikiSecurityException" %>
<%@ page import="org.apache.wiki.auth.authorize.Group" %>
<%@ page import="org.apache.wiki.auth.authorize.GroupManager" %>
+<%@ page import="org.apache.wiki.http.filter.CsrfProtectionFilter" %>
<%@ page import="org.apache.wiki.preferences.Preferences" %>
<%@ page import="org.apache.wiki.ui.TemplateManager" %>
<%@ page errorPage="/Error.jsp" %>
@@ -43,20 +44,20 @@
Session wikiSession = wikiContext.getWikiSession();
GroupManager groupMgr = wiki.getManager( GroupManager.class );
Group group = null;
- try
- {
+ try {
group = groupMgr.parseGroup( wikiContext, false );
pageContext.setAttribute ( "Group", group, PageContext.REQUEST_SCOPE );
- }
- catch ( WikiSecurityException e )
- {
+ } catch ( WikiSecurityException e ) {
wikiSession.addMessage( GroupManager.MESSAGES_KEY, e.getMessage() );
response.sendRedirect( "Group.jsp" );
}
// Are we saving the group?
- if( "save".equals(request.getParameter("action")) )
- {
+ if( "save".equals( request.getParameter( "action" ) ) ) {
+ if( !CsrfProtectionFilter.isCsrfProtectedPost( request ) ) {
+ response.sendRedirect( "/error/Forbidden.html" );
+ return;
+ }
// Validate the group
groupMgr.validateGroup( wikiContext, group );
diff --git a/jspwiki-war/src/main/webapp/NewGroup.jsp b/jspwiki-war/src/main/webapp/NewGroup.jsp
index 3fd4a0b20..5f098f78f 100644
--- a/jspwiki-war/src/main/webapp/NewGroup.jsp
+++ b/jspwiki-war/src/main/webapp/NewGroup.jsp
@@ -28,6 +28,7 @@
<%@ page import="org.apache.wiki.auth.AuthorizationManager" %>
<%@ page import="org.apache.wiki.auth.authorize.Group" %>
<%@ page import="org.apache.wiki.auth.authorize.GroupManager" %>
+<%@ page import="org.apache.wiki.http.filter.CsrfProtectionFilter" %>
<%@ page import="org.apache.wiki.preferences.Preferences" %>
<%@ page import="org.apache.wiki.ui.TemplateManager" %>
<%@ page errorPage="/Error.jsp" %>
@@ -37,6 +38,10 @@
%>
<%
+ if( !CsrfProtectionFilter.isCsrfProtectedPost( request ) ) {
+ response.sendRedirect( "/error/Forbidden.html" );
+ return;
+ }
Engine wiki = Wiki.engine().find( getServletConfig() );
// Create wiki context and check for authorization
Context wikiContext = Wiki.context().create( wiki, request, ContextEnum.WIKI_CREATE_GROUP.getRequestContext() );