You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2020/04/17 15:55:00 UTC
[jira] [Comment Edited] (OFBIZ-4956) "auth" should be true for all
the request url used for Application components.
[ https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17085883#comment-17085883 ]
Jacques Le Roux edited comment on OFBIZ-4956 at 4/17/20, 3:54 PM:
------------------------------------------------------------------
I made some related points in
https://markmail.org/message/64jjkuwarn7trsyi
{quote}
In relation with OFBIZ-4956, we need to check the remaining 195 cases where
auth="false" and decide if we should change to "true", with the CSRF defense then used by default. In other cases (auth="false" must remain) we
need to decide if should set the CSRF token check to false.
{quote}
https://markmail.org/message/w7zuiccl2evnrw7t
{quote}
If someone tries to use a not auth protected request the CSRF defenses (token + same-site) will not allow it from another domain if csrf-token is
not set to false. That's already reassuring and we maybe not need to worry much about the remaining 195 cases where auth="false". Because there
are some obviously needed, like all those related to login or password change. For the others it may turn out that they are also needed for other
reasons. For them we need to test them one by one and in some case need to set csrf-token to false, for instance in case of requests in an
anonymous flow. So finally, despite the remaining 195 cases, it should not be too hard and too long to decide on this.
{quote}
https://markmail.org/message/chklzrmhskvbspzv, notably
bq. I don't think there is a need to systematise a default to csrf-token="false" when auth="false". I just want to work on OFBIZ-4956 and while doing so check that if we change auth="false" to true, as it implies csrf-token="true", there will not be undesired side effects. And in other cases (auth="false" must remain) we need to decide if should set the CSRF token check to false.
was (Author: jacques.le.roux):
I made some related points in https://markmail.org/message/chklzrmhskvbspzv, notably
bq. I don't think there is a need to systematise a default to csrf-token="false" when auth="false". I just want to work on OFBIZ-4956 and while doing so check that if we change auth="false" to true, as it implies csrf-token="true", there will not be undesired side effects. And in other cases (auth="false" must remain) we need to decide if should set the CSRF token check to false.
> "auth" should be true for all the request url used for Application components.
> ------------------------------------------------------------------------------
>
> Key: OFBIZ-4956
> URL: https://issues.apache.org/jira/browse/OFBIZ-4956
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS
> Affects Versions: Release Branch 11.04, Release Branch 12.04, Release Branch 13.07, Trunk
> Reporter: Amardeep Singh Jhajj
> Assignee: Jacques Le Roux
> Priority: Major
> Attachments: OFBIZ-4956-Release-10.04.patch, OFBIZ-4956-Release-11.04.patch, OFBIZ-4956.patch
>
>
> Currently there are some url present in application components with auth="false". So anyone can hit this urls and can access any resources without authorization.
> For Example - https://demo-trunk.ofbiz.apache.org/content/control/ViewSimpleContent?dataResourceId=GZ-DIG
> Currently, the above url does not need authorization (you can access any resource by changing the dataResourceId). I think all the url should be secure with auth="true" and https="true" in all the application components.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)