[
https://issues.apache.org/jira/browse/JCR-4009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15448951#comment-15448951
]
Julian Reschke commented on JCR-4009:
-------------------------------------
I believe the right fix is to undo the changes for JCR-4002, and to improve the
existing protection to handle empty media types, and also to parse the content
type header field properly, lowercase it and then to check it against the white
list.
> CSRF in Jackrabbit-Webdav
> -------------------------
>
> Key: JCR-4009
> URL: https://issues.apache.org/jira/browse/JCR-4009
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
> Affects Versions: 2.13.2
> Reporter: Julian Reschke
> Assignee: Julian Reschke
> Priority: Blocker
> Labels: csrf, security, webdav
>
> The changes for JCR-4002 have disabled CRFS checking for POST, and thus leave
> the remoting servlet open for attacks. This HTML form below:
> {noformat}
> <form action="http://localhost:8080/server/default/jcr:root/"; method="post">
> <input type="text" id="name" name="user_name" />
> <button type="submit">Send your message</button>
> </form>
> {noformat}
> will successfully cross-origin-POST to jackrabbit-standalone.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
