You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "Julian Reschke (JIRA)" <ji...@apache.org> on 2016/08/30 13:02:20 UTC

[jira] [Commented] (JCR-4009) CSRF in Jackrabbit-Webdav

    [ https://issues.apache.org/jira/browse/JCR-4009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15448951#comment-15448951 ] 

Julian Reschke commented on JCR-4009:
-------------------------------------

I believe the right fix is to undo the changes for JCR-4002, and to improve the existing protection to handle empty media types, and also to parse the content type header field properly, lowercase it and then to check it against the white list.

> CSRF in Jackrabbit-Webdav
> -------------------------
>
>                 Key: JCR-4009
>                 URL: https://issues.apache.org/jira/browse/JCR-4009
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-webdav
>    Affects Versions: 2.13.2
>            Reporter: Julian Reschke
>            Assignee: Julian Reschke
>            Priority: Blocker
>              Labels: csrf, security, webdav
>
> The changes for JCR-4002 have disabled CRFS checking for POST, and thus leave the remoting servlet open for attacks. This HTML form below:
> {noformat}
> <form action="http://localhost:8080/server/default/jcr:root/" method="post">
>     <input type="text" id="name" name="user_name" />
>     <button type="submit">Send your message</button>
>     </form>
> {noformat}
> will successfully cross-origin-POST to jackrabbit-standalone.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)