You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Julian Reschke (JIRA)" <ji...@apache.org> on 2016/08/31 06:51:21 UTC
[jira] [Comment Edited] (JCR-4009) CSRF in Jackrabbit-Webdav
[ https://issues.apache.org/jira/browse/JCR-4009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15449446#comment-15449446 ]
Julian Reschke edited comment on JCR-4009 at 8/31/16 6:51 AM:
--------------------------------------------------------------
I have a semi-functional patch. It currently fails integration tests as it properly handles parameters on content-types, and guess what, now the Davex remoting calls are rejected, they use types such as "multipart/form-data; boundary=..."
EDIT: this means that the old CSRF protection hasn't been working for Davex.
was (Author: reschke):
I have a semi-functional patch. It currently fails integration tests as it properly handles parameters on content-types, and guess what, now the Davex remoting calls are rejected, they use types such as "multipart/form-data; boundary=..."
> CSRF in Jackrabbit-Webdav
> -------------------------
>
> Key: JCR-4009
> URL: https://issues.apache.org/jira/browse/JCR-4009
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
> Affects Versions: 2.13.2
> Reporter: Julian Reschke
> Assignee: Julian Reschke
> Priority: Blocker
> Labels: csrf, security, webdav
>
> The changes for JCR-4002 have disabled CRFS checking for POST, and thus leave the remoting servlet open for attacks. This HTML form below:
> {noformat}
> <form action="http://localhost:8080/server/default/jcr:root/" method="post">
> <input type="text" id="name" name="user_name" />
> <button type="submit">Send your message</button>
> </form>
> {noformat}
> will successfully cross-origin-POST to jackrabbit-standalone.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)