This is an automated email from the ASF dual-hosted git repository. juanpablo pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 1d9c4410d0c747b15e791b8b765284dfcfb66ed4 Author: Juan Pablo Santos RodrÃguez <[email protected]> AuthorDate: Thu Jul 14 19:37:27 2022 +0200 Bring CSRF protection to group management JSPs --- .../wiki/http/filter/CsrfProtectionFilter.java | 31 +++++++++++++++------- jspwiki-war/src/main/webapp/DeleteGroup.jsp | 6 +++++ jspwiki-war/src/main/webapp/EditGroup.jsp | 15 ++++++----- jspwiki-war/src/main/webapp/NewGroup.jsp | 5 ++++ 4 files changed, 40 insertions(+), 17 deletions(-) diff --git a/jspwiki-http/src/main/java/org/apache/wiki/http/filter/CsrfProtectionFilter.java b/jspwiki-http/src/main/java/org/apache/wiki/http/filter/CsrfProtectionFilter.java index aed2ca8e4..808c3517c 100644 --- a/jspwiki-http/src/main/java/org/apache/wiki/http/filter/CsrfProtectionFilter.java +++ b/jspwiki-http/src/main/java/org/apache/wiki/http/filter/CsrfProtectionFilter.java @@ -13,8 +13,8 @@ import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; import java.io.IOException; -import java.io.PrintWriter; /** @@ -36,25 +36,36 @@ public class CsrfProtectionFilter implements Filter { /** {@inheritDoc} */ @Override public void doFilter( final ServletRequest request, final ServletResponse response, final FilterChain chain ) throws IOException, ServletException { - if( "POST".equalsIgnoreCase( ( ( HttpServletRequest ) request ).getMethod() ) ) { + if( isPost( ( HttpServletRequest ) request ) ) { final Engine engine = Wiki.engine().find( request.getServletContext(), null ); final Session session = Wiki.session().find( engine, ( HttpServletRequest ) request ); - if( !session.antiCsrfToken().equals( request.getParameter( ANTICSRF_PARAM ) ) ) { + if( !requestContainsValidCsrfToken( request, session ) ) { LOG.error( "Incorrect {} param with value '{}' received for {}", ANTICSRF_PARAM, request.getParameter( ANTICSRF_PARAM ), ( ( HttpServletRequest ) request ).getPathInfo() ); - final PrintWriter out = response.getWriter(); - out.print("<!DOCTYPE html><html lang=\"en\"><head><title>Fatal problem with JSPWiki</title></head>"); - out.print("<body>"); - out.print("<h1>CSRF injection detected</h1>"); - out.print("<p>A CSRF injection has been detected, so the request has been stopped</p>"); - out.print("<p>Please check your system logs to pinpoint the request origin, someone's trying to mess with your installation.</p>"); - out.print("</body></html>"); + ( ( HttpServletResponse ) response ).sendRedirect( "/error/Forbidden.html" ); return; } } chain.doFilter( request, response ); } + public static boolean isCsrfProtectedPost( final HttpServletRequest request ) { + if( isPost( request ) ) { + final Engine engine = Wiki.engine().find( request.getServletContext(), null ); + final Session session = Wiki.session().find( engine, request ); + return requestContainsValidCsrfToken( request, session ); + } + return false; + } + + private static boolean requestContainsValidCsrfToken( final ServletRequest request, final Session session ) { + return session.antiCsrfToken().equals( request.getParameter( ANTICSRF_PARAM ) ); + } + + static boolean isPost( final HttpServletRequest request ) { + return "POST".equalsIgnoreCase( request.getMethod() ); + } + /** {@inheritDoc} */ @Override public void destroy() { diff --git a/jspwiki-war/src/main/webapp/DeleteGroup.jsp b/jspwiki-war/src/main/webapp/DeleteGroup.jsp index 17570bf38..275f6ccf5 100644 --- a/jspwiki-war/src/main/webapp/DeleteGroup.jsp +++ b/jspwiki-war/src/main/webapp/DeleteGroup.jsp @@ -25,6 +25,7 @@ <%@ page import="org.apache.wiki.auth.NoSuchPrincipalException" %> <%@ page import="org.apache.wiki.auth.WikiSecurityException" %> <%@ page import="org.apache.wiki.auth.authorize.GroupManager" %> +<%@ page import="org.apache.wiki.http.filter.CsrfProtectionFilter" %> <%@ page import="org.apache.wiki.preferences.Preferences" %> <%@ page errorPage="/Error.jsp" %> <%@ taglib uri="http://jspwiki.apache.org/tags"; prefix="wiki" %> @@ -50,6 +51,11 @@ response.sendRedirect( "Group.jsp" ); } + if( !CsrfProtectionFilter.isCsrfProtectedPost( request ) ) { + response.sendRedirect( "/error/Forbidden.html" ); + return; + } + // Check that the group exists first try { diff --git a/jspwiki-war/src/main/webapp/EditGroup.jsp b/jspwiki-war/src/main/webapp/EditGroup.jsp index 72b1b322c..94277752a 100644 --- a/jspwiki-war/src/main/webapp/EditGroup.jsp +++ b/jspwiki-war/src/main/webapp/EditGroup.jsp @@ -25,6 +25,7 @@ <%@ page import="org.apache.wiki.auth.WikiSecurityException" %> <%@ page import="org.apache.wiki.auth.authorize.Group" %> <%@ page import="org.apache.wiki.auth.authorize.GroupManager" %> +<%@ page import="org.apache.wiki.http.filter.CsrfProtectionFilter" %> <%@ page import="org.apache.wiki.preferences.Preferences" %> <%@ page import="org.apache.wiki.ui.TemplateManager" %> <%@ page errorPage="/Error.jsp" %> @@ -43,20 +44,20 @@ Session wikiSession = wikiContext.getWikiSession(); GroupManager groupMgr = wiki.getManager( GroupManager.class ); Group group = null; - try - { + try { group = groupMgr.parseGroup( wikiContext, false ); pageContext.setAttribute ( "Group", group, PageContext.REQUEST_SCOPE ); - } - catch ( WikiSecurityException e ) - { + } catch ( WikiSecurityException e ) { wikiSession.addMessage( GroupManager.MESSAGES_KEY, e.getMessage() ); response.sendRedirect( "Group.jsp" ); } // Are we saving the group? - if( "save".equals(request.getParameter("action")) ) - { + if( "save".equals( request.getParameter( "action" ) ) ) { + if( !CsrfProtectionFilter.isCsrfProtectedPost( request ) ) { + response.sendRedirect( "/error/Forbidden.html" ); + return; + } // Validate the group groupMgr.validateGroup( wikiContext, group ); diff --git a/jspwiki-war/src/main/webapp/NewGroup.jsp b/jspwiki-war/src/main/webapp/NewGroup.jsp index 3fd4a0b20..5f098f78f 100644 --- a/jspwiki-war/src/main/webapp/NewGroup.jsp +++ b/jspwiki-war/src/main/webapp/NewGroup.jsp @@ -28,6 +28,7 @@ <%@ page import="org.apache.wiki.auth.AuthorizationManager" %> <%@ page import="org.apache.wiki.auth.authorize.Group" %> <%@ page import="org.apache.wiki.auth.authorize.GroupManager" %> +<%@ page import="org.apache.wiki.http.filter.CsrfProtectionFilter" %> <%@ page import="org.apache.wiki.preferences.Preferences" %> <%@ page import="org.apache.wiki.ui.TemplateManager" %> <%@ page errorPage="/Error.jsp" %> @@ -37,6 +38,10 @@ %> <% + if( !CsrfProtectionFilter.isCsrfProtectedPost( request ) ) { + response.sendRedirect( "/error/Forbidden.html" ); + return; + } Engine wiki = Wiki.engine().find( getServletConfig() ); // Create wiki context and check for authorization Context wikiContext = Wiki.context().create( wiki, request, ContextEnum.WIKI_CREATE_GROUP.getRequestContext() );
