You just broke pretty much all applications for stable branch... On Wed, Sep 22, 2010 at 03:44, abusenius <[email protected]> wrote: > Author: abusenius > Date: 2010-09-22 03:44:29 +0200 (Wed, 22 Sep 2010) > New Revision: 31216 > > Modified: > > platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml > > platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml > platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml > platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml > > platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml > > platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml > > platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml > > platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml > > platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml > > platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml > > platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml > Log: > XWIKI-5463: Checking for CSRF tokens in applications > > Modified: > platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml > =================================================================== > --- > platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml > 2010-09-22 01:44:21 UTC (rev 31215) > +++ > platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml > 2010-09-22 01:44:29 UTC (rev 31216) > @@ -686,11 +686,16 @@ > * @param $doAfterRegistration code block to run after registration completes > successfully. > *### > #macro(createUser, $fields, $request, $response, $doAfterRegistration) > - ## See if email verification is required and register the user. > - #if($xwiki.getXWikiPreferenceAsInt('use_email_verification', 0) == 1) > - #set($reg = $xwiki.createUser(true)) > + ## CSRF check > + > #if(${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > + ## See if email verification is required and register the user. > + #if($xwiki.getXWikiPreferenceAsInt('use_email_verification', 0) == 1) > + #set($reg = $xwiki.createUser(true)) > + #else > + #set($reg = $xwiki.createUser(false)) > + #end > #else > - #set($reg = $xwiki.createUser(false)) > + $response.sendRedirect("$!{services.csrf.getResubmissionURL()}") > #end > ## > ## Handle output from the registration. > > Modified: > platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml > =================================================================== > --- > platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml > 2010-09-22 01:44:21 UTC (rev 31215) > +++ > platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml > 2010-09-22 01:44:29 UTC (rev 31216) > @@ -397,7 +397,7 @@ > #end > #set($query = "${query}obj.name = doc.fullName and obj.className = > '${blogCategoryClassname}' and doc.fullName <> 'Blog.CategoryTemplate' > and doc.parent = ? order by doc.name") > #foreach($item in $xwiki.searchDocuments($query, $parameterValues)) > - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item)) > + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) && > $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > #set($subcategoryDoc = $xwiki.getDocument($item)) > $subcategoryDoc.setParent($categoryParent) > > $subcategoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedParent'), > true) > @@ -409,7 +409,7 @@ > #end > #set($query = "${query}obj.name = doc.fullName and obj.className = > '${blogPostClassname}' and doc.fullName <> 'Blog.BlogPostTemplate' and > categories.id.id = obj.id and categories.id.name = 'category' and category = > ? order by doc.name") > #foreach($item in $xwiki.searchDocuments($query, $parameterValues)) > - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item)) > + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) && > $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > #set($blogEntryDoc = $xwiki.getDocument($item)) > #set($discard = > $blogEntryDoc.getObject(${blogPostClassname}).getProperty('category').value.remove($category)) > > $blogEntryDoc.save($msg.get('xe.blog.manageCategories.comment.removedDeletedCategory'), > true) > @@ -433,7 +433,7 @@ > #set($query = ', BaseObject obj where ') > #set($query = "${query}obj.name = doc.fullName and obj.className = > '${blogCategoryClassname}' and doc.fullName <> 'Blog.CategoryTemplate' > and doc.parent = ? order by doc.name") > #foreach($item in $xwiki.searchDocuments($query, $parameterValues)) > - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item)) > + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) && > $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > #set($subcategoryDoc = $xwiki.getDocument($item)) > $subcategoryDoc.setParent($newCategoryDoc.fullName) > > $subcategoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedParent'), > true) > @@ -442,16 +442,18 @@ > #set($query = ', BaseObject obj, DBStringListProperty categories join > categories.list as category where ') > #set($query = "${query}obj.name = doc.fullName and obj.className = > '${blogPostClassname}' and doc.fullName <> 'Blog.BlogPostTemplate' and > categories.id.id = obj.id and categories.id.name = 'category' and category = > ? order by doc.name") > #foreach($item in $xwiki.searchDocuments($query, $parameterValues)) > - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item)) > + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) && > $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > #set($blogEntryDoc = $xwiki.getDocument($item)) > #set($discard = > $blogEntryDoc.getObject(${blogPostClassname}).getProperty('category').value.remove($category)) > #set($discard = > $blogEntryDoc.getObject(${blogPostClassname}).getProperty('category').value.add($newCategoryDoc.fullName)) > > $blogEntryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedRenamedCategory'), > true) > #end > #end > - $categoryDoc.getObject('Blog.CategoryClass').set('name', $newCategoryName) > - > $categoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedCategory'), > true) > - $categoryDoc.rename($newCategoryName) > + #if > ($!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > + $categoryDoc.getObject('Blog.CategoryClass').set('name', > $newCategoryName) > + > $categoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedCategory'), > true) > + $categoryDoc.rename($newCategoryName) > + #end > #end > {{/velocity}}</content> > </xwikidoc> > > Modified: > platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml > =================================================================== > --- > platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml > 2010-09-22 01:44:21 UTC (rev 31215) > +++ > platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml > 2010-09-22 01:44:29 UTC (rev 31216) > @@ -24,7 +24,7 @@ > <syntaxId>xwiki/2.0</syntaxId> > <hidden>true</hidden> > <content>{{velocity filter="none"}} > -#if($request.migrate) > +#if($request.migrate && > $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > #set($newContent = '#includeForm("Blog.BlogPostSheet")') > #set($query = ", BaseObject obj where obj.name = doc.fullName and > obj.className = 'XWiki.ArticleClass'") > #foreach($article in $xwiki.searchDocuments($query)) > > Modified: > platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml > =================================================================== > --- > platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml > 2010-09-22 01:44:21 UTC (rev 31215) > +++ > platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml > 2010-09-22 01:44:29 UTC (rev 31216) > @@ -32,7 +32,7 @@ > #end > #set($entryName = "$!{request.entryName}") > #if($entryName != '') > - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $entryName)) > + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $entryName) && > $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > #set($entryDoc = $xwiki.getDocument($entryName)) > #if ($entryDoc) > #getEntryObject($entryDoc $entryObj) > > Modified: > platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml > =================================================================== > --- > platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml > 2010-09-22 01:44:21 UTC (rev 31215) > +++ > platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml > 2010-09-22 01:44:29 UTC (rev 31216) > @@ -223,7 +223,7 @@ > > {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.accept.alreadyReportedAsSpam'){{/error}} > #elseif($status != 'pending') > > {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.invalidStatus', > ["#messageStatusForCode($status)"]){{/error}} > - #else > + #elseif($confirm && > ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > #if("#canGuestAcceptInvitation($doc)" != 'true') > ## > > {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.accept.improperConfiguration'){{/error}} > @@ -235,6 +235,9 @@ > #set($invited = true) > {{include document="XWiki.Registration"/}} > #end > + #else > + ## CSRF protection > + $response.sendRedirect("$!{services.csrf.getResubmissionURL()}") > #end > #elseif($action == 'decline') > ## Decline Invitation > <------------------------------------------------------------------------ > @@ -261,7 +264,7 @@ > > {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.decline.alreadyReportedAsSpam'){{/error}} > #elseif($status != 'pending') > > {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.invalidStatus', > ["#messageStatusForCode($status)"]){{/error}} > - #elseif($confirm) > + #elseif($confirm && > ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > #setMessageStatus($message, 'declined', $memo)## > > $emailContainer.saveAsAuthor($msg.get('xe.invitation.doAction.decline.saveComment')) > > {{info}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.decline.success'){{/info}} > @@ -280,7 +283,7 @@ > #if("$!message" == '') > ## No message found by that id. > > {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.reportSpam.noMessageFound'){{/error}} > - #elseif($confirm) > + #elseif($confirm && > ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > #setMessageStatus($message, 'reported', $memo)## > > $emailContainer.saveAsAuthor($msg.get('xe.invitation.doAction.reportSpam.reportSaveComment')) > ## Your report has been logged, sorry for the inconvienence. > > Modified: > platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml > =================================================================== > --- > platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml > 2010-09-22 01:44:21 UTC (rev 31215) > +++ > platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml > 2010-09-22 01:44:29 UTC (rev 31216) > @@ -382,7 +382,7 @@ > > $msg.get('xe.invitation.doUserActionOnMultipleMessages.cancel.someMessagesNotFound', > [$mathtool.sub($messageIDs.size(), $messages.size()), > $messageIDs.size()]){{error}}))) > #end > - #elseif($confirm) > + #elseif($confirm && > ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > ## If the user accidently selected messages to which this action cannot > be done, just skip over them. > #set($changed = false) > #foreach($message in $messages) > @@ -435,7 +435,7 @@ > > $msg.get('xe.invitation.doUserActionOnMultipleMessages.noMessagesFound') > #end > {{/error}}))) > - #elseif($confirm) > + #elseif($confirm && > ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > ## If the user accidently selected messages to which this action cannot > be done, just skip over them. > #set($changed = false) > #foreach($message in $messages) > > Modified: > platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml > =================================================================== > --- > platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml > 2010-09-22 01:44:21 UTC (rev 31215) > +++ > platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml > 2010-09-22 01:44:29 UTC (rev 31216) > @@ -737,7 +737,9 @@ > #set($messageBody = '') > #end > ## > - #if("$!request.get('sendMail')" != '' && > $request.getMethod().toLowerCase() == 'post') > + #if("$!request.get('sendMail')" != '' > + && $request.getMethod().toLowerCase() == 'post' > + && > ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > #generateAndSendMail($config, > $recipients, > $subjectLine, > > Modified: > platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml > =================================================================== > --- > platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml > 2010-09-22 01:44:21 UTC (rev 31215) > +++ > platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml > 2010-09-22 01:44:29 UTC (rev 31216) > @@ -281,7 +281,7 @@ > #set($msgRestart=$msg.get("xe.officeimporter.openoffice.actions.restart")) > #set($msgUpdate=$msg.get("xe.officeimporter.openoffice.update")) > #set($msgLimitedControl=$msg.get("xe.officeimporter.openoffice.limitedcontrol")) > -#if($hasAdmin) > +#if($hasAdmin && > ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > #set($currentAction = "$!{request.action}") > #if($currentAction == "stop") > #if(!$oomanager.stopServer()) > > Modified: > platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml > =================================================================== > --- > platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml > 2010-09-22 01:44:21 UTC (rev 31215) > +++ > platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml > 2010-09-22 01:44:29 UTC (rev 31216) > @@ -547,7 +547,7 @@ > #end > ## Use the syntax and content received from the client, as the user might > have made some changes that are not on saved yet. > #set($void = $translatedDoc.setSyntaxId($oldSyntax)) > - #if (!$translatedDoc.convertSyntax($newSyntaxId)) > + #if (!$translatedDoc.convertSyntax($newSyntaxId) || > !${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > #set($error = true) > #else > #set($void = $translatedDoc.save("Document converted from syntax > $oldSyntax to syntax $newSyntaxId")) > > Modified: > platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml > =================================================================== > --- > platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml > 2010-09-22 01:44:21 UTC (rev 31215) > +++ > platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml > 2010-09-22 01:44:29 UTC (rev 31216) > @@ -34,7 +34,7 @@ > ## > ## Check to see if the current user has admin rights on the current > preferences document. > ## > -#if(!$xwiki.hasAccessLevel("admin", $xcontext.user, $prefsdocument)) > +#if(!$xwiki.hasAccessLevel("admin", $xcontext.user, $prefsdocument) || > !${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > #xwikimessageboxstart("$msg.get('panelwizard.placemanager')" "") > $msg.get("panelwizard.notadmininplace", $place) > #xwikimessageboxend() > > Modified: > platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml > =================================================================== > --- > platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml > 2010-09-22 01:44:21 UTC (rev 31215) > +++ > platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml > 2010-09-22 01:44:29 UTC (rev 31216) > @@ -36,7 +36,9 @@ > #set ($wiki = $WikiManager.getWikiFromDocumentName($doc.fullName)) > ## > #if ($action && ($action == "create") && $domain && > ($domain.trim().length() > 0)) > - #if (!$wiki.containsWikiAlias($domain)) > + #if > (!${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > + #error($msg.get("notallowed")) > + #elseif (!$wiki.containsWikiAlias($domain)) > #set ($alias = $wiki.newObject("XWiki.XWikiServerClass")) > $alias.set("server", $domain) > $alias.set("homepage", "Main.WebHome") > @@ -47,7 +49,9 @@ > #end > ## > #if ($action && ($action == "delete") && $domain && > ($domain.trim().length() > 0)) > - #if ($wiki.containsWikiAlias($domain)) > + #if > (!${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) > + #error($msg.get("notallowed")) > + #elseif ($wiki.containsWikiAlias($domain)) > #set ($alias = $wiki.getWikiAlias($domain)) > #set ($removed = $wiki.removeObject($alias.objectApi)) > $wiki.save() > > _______________________________________________ > notifications mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/notifications >
-- Thomas Mortagne _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
