Hi Alex,
Couldn't we add the check in some Abstract<XXX>XWikiAction where <XXX>
qualifies actions that modify data in order to prevent code duplication and in
order to prevent forgetting to do the check when people add new actions (at
least make it easier)?
Thanks
-Vincent
On Sep 22, 2010, at 11:00 PM, abusenius (SVN) wrote:
> Author: abusenius
> Date: 2010-09-22 23:00:46 +0200 (Wed, 22 Sep 2010)
> New Revision: 31271
>
> Modified:
>
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/AbstractPropChangeAction.java
>
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/CommentAddAction.java
>
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteAction.java
>
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteAttachmentAction.java
>
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteVersionsAction.java
>
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ObjectAddAction.java
>
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ObjectRemoveAction.java
>
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/PropAddAction.java
>
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/PropUpdateAction.java
>
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/RegisterAction.java
>
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ResetVersionsAction.java
>
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/RollbackAction.java
>
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/SaveAction.java
>
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/SaveAndContinueAction.java
>
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/UndeleteAction.java
>
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/UploadAction.java
> Log:
> XWIKI-5464: Added CSRF checks to all actions that modify data
>
> Modified:
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/AbstractPropChangeAction.java
> ===================================================================
> ---
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/AbstractPropChangeAction.java
> 2010-09-22 21:00:42 UTC (rev 31270)
> +++
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/AbstractPropChangeAction.java
> 2010-09-22 21:00:46 UTC (rev 31271)
> @@ -55,6 +55,10 @@
> BaseClass xclass = doc.getXClass();
>
> if (propertyName != null && xclass.get(propertyName) != null) {
> + // CSRF prevention
> + if (!csrfTokenCheck(context)) {
> + return false;
> + }
> changePropertyDefinition(xclass, propertyName, context);
> } else {
> return true;
>
> Modified:
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/CommentAddAction.java
> ===================================================================
> ---
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/CommentAddAction.java
> 2010-09-22 21:00:42 UTC (rev 31270)
> +++
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/CommentAddAction.java
> 2010-09-22 21:00:46 UTC (rev 31271)
> @@ -54,6 +54,11 @@
> @Override
> public boolean action(XWikiContext context) throws XWikiException
> {
> + // CSRF prevention
> + if (!csrfTokenCheck(context)) {
> + return false;
> + }
> +
> XWiki xwiki = context.getWiki();
> XWikiResponse response = context.getResponse();
> XWikiDocument doc = context.getDoc();
>
> Modified:
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteAction.java
> ===================================================================
> ---
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteAction.java
> 2010-09-22 21:00:42 UTC (rev 31270)
> +++
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteAction.java
> 2010-09-22 21:00:46 UTC (rev 31271)
> @@ -55,6 +55,10 @@
> if (!"1".equals(request.getParameter(CONFIRM_PARAM))) {
> return true;
> }
> + // CSRF prevention
> + if (!csrfTokenCheck(context)) {
> + return false;
> + }
>
> String sindex = request.getParameter("id");
> if (sindex != null && xwiki.hasRecycleBin(context)) {
>
> Modified:
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteAttachmentAction.java
> ===================================================================
> ---
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteAttachmentAction.java
> 2010-09-22 21:00:42 UTC (rev 31270)
> +++
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteAttachmentAction.java
> 2010-09-22 21:00:46 UTC (rev 31271)
> @@ -46,6 +46,11 @@
> @Override
> public boolean action(XWikiContext context) throws XWikiException
> {
> + // CSRF prevention
> + if (!csrfTokenCheck(context)) {
> + return false;
> + }
> +
> XWikiRequest request = context.getRequest();
> XWikiResponse response = context.getResponse();
> XWikiDocument doc = context.getDoc();
>
> Modified:
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteVersionsAction.java
> ===================================================================
> ---
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteVersionsAction.java
> 2010-09-22 21:00:42 UTC (rev 31270)
> +++
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteVersionsAction.java
> 2010-09-22 21:00:46 UTC (rev 31271)
> @@ -40,21 +40,24 @@
> @Override
> public boolean action(XWikiContext context) throws XWikiException
> {
> + // CSRF prevention
> + if (!csrfTokenCheck(context)) {
> + return false;
> + }
> +
> DeleteVersionsForm form = (DeleteVersionsForm) context.getForm();
> -
> if (!form.isConfirmed()) {
> return true;
> }
>
> Version v1;
> Version v2;
> - Version rev = form.getRev();
> - if (rev == null) {
> + if (form.getRev() == null) {
> v1 = form.getRev1();
> v2 = form.getRev2();
> } else {
> - v1 = rev;
> - v2 = rev;
> + v1 = form.getRev();
> + v2 = form.getRev();
> }
>
> if (v1 != null && v2 != null) {
>
> Modified:
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ObjectAddAction.java
> ===================================================================
> ---
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ObjectAddAction.java
> 2010-09-22 21:00:42 UTC (rev 31270)
> +++
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ObjectAddAction.java
> 2010-09-22 21:00:46 UTC (rev 31271)
> @@ -39,6 +39,11 @@
> @Override
> public boolean action(XWikiContext context) throws XWikiException
> {
> + // CSRF prevention
> + if (!csrfTokenCheck(context)) {
> + return false;
> + }
> +
> XWiki xwiki = context.getWiki();
> XWikiResponse response = context.getResponse();
> String username = context.getUser();
>
> Modified:
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ObjectRemoveAction.java
> ===================================================================
> ---
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ObjectRemoveAction.java
> 2010-09-22 21:00:42 UTC (rev 31270)
> +++
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ObjectRemoveAction.java
> 2010-09-22 21:00:46 UTC (rev 31271)
> @@ -66,6 +66,11 @@
> @Override
> public boolean action(XWikiContext context) throws XWikiException
> {
> + // CSRF prevention
> + if (!csrfTokenCheck(context)) {
> + return false;
> + }
> +
> XWiki xwiki = context.getWiki();
> XWikiResponse response = context.getResponse();
> String username = context.getUser();
> @@ -74,6 +79,7 @@
> if (obj == null) {
> return true;
> }
> +
> doc.removeObject(obj);
> doc.setAuthor(username);
> xwiki.saveDocument(doc,
> context.getMessageTool().get("core.comment.deleteObject"), true, context);
>
> Modified:
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/PropAddAction.java
> ===================================================================
> ---
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/PropAddAction.java
> 2010-09-22 21:00:42 UTC (rev 31270)
> +++
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/PropAddAction.java
> 2010-09-22 21:00:46 UTC (rev 31271)
> @@ -37,6 +37,11 @@
> @Override
> public boolean action(XWikiContext context) throws XWikiException
> {
> + // CSRF prevention
> + if (!csrfTokenCheck(context)) {
> + return false;
> + }
> +
> XWiki xwiki = context.getWiki();
> XWikiResponse response = context.getResponse();
> XWikiDocument doc = context.getDoc();
>
> Modified:
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/PropUpdateAction.java
> ===================================================================
> ---
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/PropUpdateAction.java
> 2010-09-22 21:00:42 UTC (rev 31270)
> +++
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/PropUpdateAction.java
> 2010-09-22 21:00:46 UTC (rev 31271)
> @@ -105,6 +105,11 @@
> @Override
> public boolean action(XWikiContext context) throws XWikiException
> {
> + // CSRF prevention
> + if (!csrfTokenCheck(context)) {
> + return false;
> + }
> +
> try {
> if (propUpdate(context)) {
> return true;
>
> Modified:
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/RegisterAction.java
> ===================================================================
> ---
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/RegisterAction.java
> 2010-09-22 21:00:42 UTC (rev 31270)
> +++
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/RegisterAction.java
> 2010-09-22 21:00:46 UTC (rev 31271)
> @@ -50,6 +50,11 @@
>
> String register = request.getParameter(REGISTER);
> if (register != null && register.equals("1")) {
> + // CSRF prevention
> + if (!csrfTokenCheck(context)) {
> + return false;
> + }
> +
> int useemail =
> xwiki.getXWikiPreferenceAsInt("use_email_verification", 0, context);
> int result;
> if (useemail == 1) {
>
> Modified:
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ResetVersionsAction.java
> ===================================================================
> ---
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ResetVersionsAction.java
> 2010-09-22 21:00:42 UTC (rev 31270)
> +++
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ResetVersionsAction.java
> 2010-09-22 21:00:46 UTC (rev 31271)
> @@ -17,6 +17,11 @@
>
> String confirm = request.getParameter("confirm");
> if ((confirm != null) && (confirm.equals("1"))) {
> + // CSRF prevention
> + if (!csrfTokenCheck(context)) {
> + return false;
> + }
> +
> XWikiDocument tdoc = getTranslatedDocument(doc, language,
> context);
> // Do it
> tdoc.resetArchive(context);
>
> Modified:
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/RollbackAction.java
> ===================================================================
> ---
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/RollbackAction.java
> 2010-09-22 21:00:42 UTC (rev 31270)
> +++
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/RollbackAction.java
> 2010-09-22 21:00:46 UTC (rev 31271)
> @@ -30,6 +30,11 @@
> @Override
> public boolean action(XWikiContext context) throws XWikiException
> {
> + // CSRF prevention
> + if (!csrfTokenCheck(context)) {
> + return false;
> + }
> +
> XWiki xwiki = context.getWiki();
> XWikiResponse response = context.getResponse();
> XWikiDocument doc = context.getDoc();
>
> Modified:
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/SaveAction.java
> ===================================================================
> ---
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/SaveAction.java
> 2010-09-22 21:00:42 UTC (rev 31270)
> +++
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/SaveAction.java
> 2010-09-22 21:00:46 UTC (rev 31271)
> @@ -176,6 +176,11 @@
> @Override
> public boolean action(XWikiContext context) throws XWikiException
> {
> + // CSRF prevention
> + if (!csrfTokenCheck(context)) {
> + return false;
> + }
> +
> if (save(context)) {
> return true;
> }
>
> Modified:
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/SaveAndContinueAction.java
> ===================================================================
> ---
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/SaveAndContinueAction.java
> 2010-09-22 21:00:42 UTC (rev 31270)
> +++
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/SaveAndContinueAction.java
> 2010-09-22 21:00:46 UTC (rev 31271)
> @@ -43,6 +43,11 @@
> */
> @Override
> public boolean action(XWikiContext context) throws XWikiException {
> + // CSRF prevention
> + if (!csrfTokenCheck(context)) {
> + return false;
> + }
> +
> // Try to find the URL of the edit page which we came from
> String back = findBackURL(context);
>
>
> Modified:
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/UndeleteAction.java
> ===================================================================
> ---
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/UndeleteAction.java
> 2010-09-22 21:00:42 UTC (rev 31270)
> +++
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/UndeleteAction.java
> 2010-09-22 21:00:46 UTC (rev 31271)
> @@ -42,6 +42,11 @@
> @Override
> public boolean action(XWikiContext context) throws XWikiException
> {
> + // CSRF prevention
> + if (!csrfTokenCheck(context)) {
> + return false;
> + }
> +
> XWiki xwiki = context.getWiki();
> XWikiRequest request = context.getRequest();
> XWikiResponse response = context.getResponse();
>
> Modified:
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/UploadAction.java
> ===================================================================
> ---
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/UploadAction.java
> 2010-09-22 21:00:42 UTC (rev 31270)
> +++
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/UploadAction.java
> 2010-09-22 21:00:46 UTC (rev 31271)
> @@ -80,6 +80,11 @@
> }
> }
>
> + // CSRF prevention
> + if (!csrfTokenCheck(context)) {
> + return false;
> + }
> +
> XWikiDocument doc = (XWikiDocument) context.getDoc().clone();
>
> // The document is saved for each attachment in the group.
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
