Re: [TEST] Test "POC for CSRF Token"

Mon, 23 Mar 2020 03:20:47 -0700 

Le 20/03/2020 à 08:44, Jacques Le Roux a écrit :
If we do so, I have a question. With NoCsrfDefenseStrategy we have the possibility to bypass the CSRF defense. It's convenient for development, because else, in this mode, the CSRF defense is quite intrusive. * 


I propose to use it also in demo mode. Because we should not expect CSRF attacks on the demos (stable R17 and trunk) and if even it happens the 
consequences should not be important. Only alteration of the DB should be expected and nothing should happen out of that. So no consequences for the 
VM and for the apache.org domain. If somebody see a risk doing so please chime in before I patch OFBiz.



@Swapnil, I know you plan to update the demos in order to make R17 stable, and R16 old. If nobody disagree about bypassing the CSRF defense on demo, 
it's only a matter of applying this patch:


diff --git framework/security/config/security.properties 
framework/security/config/security.properties
index 55c2b6a41a..5b06692d88 100644
--- framework/security/config/security.properties
+++ framework/security/config/security.properties
@@ -169,4 +169,4 @@ csrf.entity.request.limit=

 # csrf defense strategy. Default is 
org.apache.ofbiz.security.CsrfDefenseStrategy if not specified.
 # use org.apache.ofbiz.security.NoCsrfDefenseStrategy to disable CSRF check 
totally.
-csrf.defense.strategy=
+csrf.defense.strategy=org.apache.ofbiz.security.NoCsrfDefenseStrategy


I hope all is clear for everybody. The CSRF defense is a major change, fortunately not in development mode. Please verify it's OK with you before we 
apply the plan above


Hi,


I thought about that a bit more. I suggest to let the stable version (soon, R17) as is, ie with  CSRF defense enabled. This way users, mostly 
interested in stable, would  see the real situation.



And to use the NoCsrfDefenseStrategy in trunk. So developers, often brought to use the trunk for development reasons, would have more latitude; as 
they certainly will do locally.


If nobody disagree we will do so at 
https://issues.apache.org/jira/browse/OFBIZ-11472 with Swapnil

If we do so, the link 
https://demo-stable.ofbiz.apache.org/ordermgr/control/main?USERNAME=admin&PASSWORD=ofbiz&JavaScriptEnabled=Y
 will no longer work.

https://demo-stable.ofbiz.apache.org/ordermgr should be used and we need to 
update https://ofbiz.apache.org/ofbiz-demos.html for that.

Jacques
























					Reply via email to