Plus you did major modifications without any related jira issue. Each application has its own jira project, XWIKI-5463 can't be used for a modification made on an application.
On Thu, Sep 23, 2010 at 12:47, Thomas Mortagne <[email protected]> wrote: > You just broke pretty much all applications for stable branch... > > On Wed, Sep 22, 2010 at 03:44, abusenius > <[email protected]> wrote: >> Author: abusenius >> Date: 2010-09-22 03:44:29 +0200 (Wed, 22 Sep 2010) >> New Revision: 31216 >> >> Modified: >> >> platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml >> >> platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml >> >> platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml >> >> platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml >> >> platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml >> >> platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml >> >> platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml >> >> platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml >> >> platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml >> >> platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml >> >> platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml >> Log: >> XWIKI-5463: Checking for CSRF tokens in applications >> >> Modified: >> platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml >> =================================================================== >> --- >> platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml >> 2010-09-22 01:44:21 UTC (rev 31215) >> +++ >> platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml >> 2010-09-22 01:44:29 UTC (rev 31216) >> @@ -686,11 +686,16 @@ >> * @param $doAfterRegistration code block to run after registration >> completes successfully. >> *### >> #macro(createUser, $fields, $request, $response, $doAfterRegistration) >> - ## See if email verification is required and register the user. >> - #if($xwiki.getXWikiPreferenceAsInt('use_email_verification', 0) == 1) >> - #set($reg = $xwiki.createUser(true)) >> + ## CSRF check >> + >> #if(${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> + ## See if email verification is required and register the user. >> + #if($xwiki.getXWikiPreferenceAsInt('use_email_verification', 0) == 1) >> + #set($reg = $xwiki.createUser(true)) >> + #else >> + #set($reg = $xwiki.createUser(false)) >> + #end >> #else >> - #set($reg = $xwiki.createUser(false)) >> + $response.sendRedirect("$!{services.csrf.getResubmissionURL()}") >> #end >> ## >> ## Handle output from the registration. >> >> Modified: >> platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml >> =================================================================== >> --- >> platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml >> 2010-09-22 01:44:21 UTC (rev 31215) >> +++ >> platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml >> 2010-09-22 01:44:29 UTC (rev 31216) >> @@ -397,7 +397,7 @@ >> #end >> #set($query = "${query}obj.name = doc.fullName and obj.className = >> '${blogCategoryClassname}' and doc.fullName <> 'Blog.CategoryTemplate' >> and doc.parent = ? order by doc.name") >> #foreach($item in $xwiki.searchDocuments($query, $parameterValues)) >> - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item)) >> + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) && >> $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> #set($subcategoryDoc = $xwiki.getDocument($item)) >> $subcategoryDoc.setParent($categoryParent) >> >> $subcategoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedParent'), >> true) >> @@ -409,7 +409,7 @@ >> #end >> #set($query = "${query}obj.name = doc.fullName and obj.className = >> '${blogPostClassname}' and doc.fullName <> 'Blog.BlogPostTemplate' and >> categories.id.id = obj.id and categories.id.name = 'category' and category = >> ? order by doc.name") >> #foreach($item in $xwiki.searchDocuments($query, $parameterValues)) >> - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item)) >> + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) && >> $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> #set($blogEntryDoc = $xwiki.getDocument($item)) >> #set($discard = >> $blogEntryDoc.getObject(${blogPostClassname}).getProperty('category').value.remove($category)) >> >> $blogEntryDoc.save($msg.get('xe.blog.manageCategories.comment.removedDeletedCategory'), >> true) >> @@ -433,7 +433,7 @@ >> #set($query = ', BaseObject obj where ') >> #set($query = "${query}obj.name = doc.fullName and obj.className = >> '${blogCategoryClassname}' and doc.fullName <> 'Blog.CategoryTemplate' >> and doc.parent = ? order by doc.name") >> #foreach($item in $xwiki.searchDocuments($query, $parameterValues)) >> - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item)) >> + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) && >> $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> #set($subcategoryDoc = $xwiki.getDocument($item)) >> $subcategoryDoc.setParent($newCategoryDoc.fullName) >> >> $subcategoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedParent'), >> true) >> @@ -442,16 +442,18 @@ >> #set($query = ', BaseObject obj, DBStringListProperty categories join >> categories.list as category where ') >> #set($query = "${query}obj.name = doc.fullName and obj.className = >> '${blogPostClassname}' and doc.fullName <> 'Blog.BlogPostTemplate' and >> categories.id.id = obj.id and categories.id.name = 'category' and category = >> ? order by doc.name") >> #foreach($item in $xwiki.searchDocuments($query, $parameterValues)) >> - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item)) >> + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) && >> $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> #set($blogEntryDoc = $xwiki.getDocument($item)) >> #set($discard = >> $blogEntryDoc.getObject(${blogPostClassname}).getProperty('category').value.remove($category)) >> #set($discard = >> $blogEntryDoc.getObject(${blogPostClassname}).getProperty('category').value.add($newCategoryDoc.fullName)) >> >> $blogEntryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedRenamedCategory'), >> true) >> #end >> #end >> - $categoryDoc.getObject('Blog.CategoryClass').set('name', $newCategoryName) >> - >> $categoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedCategory'), >> true) >> - $categoryDoc.rename($newCategoryName) >> + #if >> ($!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> + $categoryDoc.getObject('Blog.CategoryClass').set('name', >> $newCategoryName) >> + >> $categoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedCategory'), >> true) >> + $categoryDoc.rename($newCategoryName) >> + #end >> #end >> {{/velocity}}</content> >> </xwikidoc> >> >> Modified: >> platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml >> =================================================================== >> --- >> platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml >> 2010-09-22 01:44:21 UTC (rev 31215) >> +++ >> platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml >> 2010-09-22 01:44:29 UTC (rev 31216) >> @@ -24,7 +24,7 @@ >> <syntaxId>xwiki/2.0</syntaxId> >> <hidden>true</hidden> >> <content>{{velocity filter="none"}} >> -#if($request.migrate) >> +#if($request.migrate && >> $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> #set($newContent = '#includeForm("Blog.BlogPostSheet")') >> #set($query = ", BaseObject obj where obj.name = doc.fullName and >> obj.className = 'XWiki.ArticleClass'") >> #foreach($article in $xwiki.searchDocuments($query)) >> >> Modified: >> platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml >> =================================================================== >> --- >> platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml >> 2010-09-22 01:44:21 UTC (rev 31215) >> +++ >> platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml >> 2010-09-22 01:44:29 UTC (rev 31216) >> @@ -32,7 +32,7 @@ >> #end >> #set($entryName = "$!{request.entryName}") >> #if($entryName != '') >> - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $entryName)) >> + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $entryName) && >> $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> #set($entryDoc = $xwiki.getDocument($entryName)) >> #if ($entryDoc) >> #getEntryObject($entryDoc $entryObj) >> >> Modified: >> platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml >> =================================================================== >> --- >> platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml >> 2010-09-22 01:44:21 UTC (rev 31215) >> +++ >> platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml >> 2010-09-22 01:44:29 UTC (rev 31216) >> @@ -223,7 +223,7 @@ >> >> {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.accept.alreadyReportedAsSpam'){{/error}} >> #elseif($status != 'pending') >> >> {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.invalidStatus', >> ["#messageStatusForCode($status)"]){{/error}} >> - #else >> + #elseif($confirm && >> ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> #if("#canGuestAcceptInvitation($doc)" != 'true') >> ## >> >> {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.accept.improperConfiguration'){{/error}} >> @@ -235,6 +235,9 @@ >> #set($invited = true) >> {{include document="XWiki.Registration"/}} >> #end >> + #else >> + ## CSRF protection >> + $response.sendRedirect("$!{services.csrf.getResubmissionURL()}") >> #end >> #elseif($action == 'decline') >> ## Decline Invitation >> <------------------------------------------------------------------------ >> @@ -261,7 +264,7 @@ >> >> {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.decline.alreadyReportedAsSpam'){{/error}} >> #elseif($status != 'pending') >> >> {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.invalidStatus', >> ["#messageStatusForCode($status)"]){{/error}} >> - #elseif($confirm) >> + #elseif($confirm && >> ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> #setMessageStatus($message, 'declined', $memo)## >> >> $emailContainer.saveAsAuthor($msg.get('xe.invitation.doAction.decline.saveComment')) >> >> {{info}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.decline.success'){{/info}} >> @@ -280,7 +283,7 @@ >> #if("$!message" == '') >> ## No message found by that id. >> >> {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.reportSpam.noMessageFound'){{/error}} >> - #elseif($confirm) >> + #elseif($confirm && >> ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> #setMessageStatus($message, 'reported', $memo)## >> >> $emailContainer.saveAsAuthor($msg.get('xe.invitation.doAction.reportSpam.reportSaveComment')) >> ## Your report has been logged, sorry for the inconvienence. >> >> Modified: >> platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml >> =================================================================== >> --- >> platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml >> 2010-09-22 01:44:21 UTC (rev 31215) >> +++ >> platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml >> 2010-09-22 01:44:29 UTC (rev 31216) >> @@ -382,7 +382,7 @@ >> >> $msg.get('xe.invitation.doUserActionOnMultipleMessages.cancel.someMessagesNotFound', >> [$mathtool.sub($messageIDs.size(), $messages.size()), >> $messageIDs.size()]){{error}}))) >> #end >> - #elseif($confirm) >> + #elseif($confirm && >> ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> ## If the user accidently selected messages to which this action >> cannot be done, just skip over them. >> #set($changed = false) >> #foreach($message in $messages) >> @@ -435,7 +435,7 @@ >> >> $msg.get('xe.invitation.doUserActionOnMultipleMessages.noMessagesFound') >> #end >> {{/error}}))) >> - #elseif($confirm) >> + #elseif($confirm && >> ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> ## If the user accidently selected messages to which this action >> cannot be done, just skip over them. >> #set($changed = false) >> #foreach($message in $messages) >> >> Modified: >> platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml >> =================================================================== >> --- >> platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml >> 2010-09-22 01:44:21 UTC (rev 31215) >> +++ >> platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml >> 2010-09-22 01:44:29 UTC (rev 31216) >> @@ -737,7 +737,9 @@ >> #set($messageBody = '') >> #end >> ## >> - #if("$!request.get('sendMail')" != '' && >> $request.getMethod().toLowerCase() == 'post') >> + #if("$!request.get('sendMail')" != '' >> + && $request.getMethod().toLowerCase() == 'post' >> + && >> ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> #generateAndSendMail($config, >> $recipients, >> $subjectLine, >> >> Modified: >> platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml >> =================================================================== >> --- >> platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml >> 2010-09-22 01:44:21 UTC (rev 31215) >> +++ >> platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml >> 2010-09-22 01:44:29 UTC (rev 31216) >> @@ -281,7 +281,7 @@ >> #set($msgRestart=$msg.get("xe.officeimporter.openoffice.actions.restart")) >> #set($msgUpdate=$msg.get("xe.officeimporter.openoffice.update")) >> #set($msgLimitedControl=$msg.get("xe.officeimporter.openoffice.limitedcontrol")) >> -#if($hasAdmin) >> +#if($hasAdmin && >> ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> #set($currentAction = "$!{request.action}") >> #if($currentAction == "stop") >> #if(!$oomanager.stopServer()) >> >> Modified: >> platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml >> =================================================================== >> --- >> platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml >> 2010-09-22 01:44:21 UTC (rev 31215) >> +++ >> platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml >> 2010-09-22 01:44:29 UTC (rev 31216) >> @@ -547,7 +547,7 @@ >> #end >> ## Use the syntax and content received from the client, as the user might >> have made some changes that are not on saved yet. >> #set($void = $translatedDoc.setSyntaxId($oldSyntax)) >> - #if (!$translatedDoc.convertSyntax($newSyntaxId)) >> + #if (!$translatedDoc.convertSyntax($newSyntaxId) || >> !${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> #set($error = true) >> #else >> #set($void = $translatedDoc.save("Document converted from syntax >> $oldSyntax to syntax $newSyntaxId")) >> >> Modified: >> platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml >> =================================================================== >> --- >> platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml >> 2010-09-22 01:44:21 UTC (rev 31215) >> +++ >> platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml >> 2010-09-22 01:44:29 UTC (rev 31216) >> @@ -34,7 +34,7 @@ >> ## >> ## Check to see if the current user has admin rights on the current >> preferences document. >> ## >> -#if(!$xwiki.hasAccessLevel("admin", $xcontext.user, $prefsdocument)) >> +#if(!$xwiki.hasAccessLevel("admin", $xcontext.user, $prefsdocument) || >> !${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> #xwikimessageboxstart("$msg.get('panelwizard.placemanager')" "") >> $msg.get("panelwizard.notadmininplace", $place) >> #xwikimessageboxend() >> >> Modified: >> platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml >> =================================================================== >> --- >> platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml >> 2010-09-22 01:44:21 UTC (rev 31215) >> +++ >> platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml >> 2010-09-22 01:44:29 UTC (rev 31216) >> @@ -36,7 +36,9 @@ >> #set ($wiki = $WikiManager.getWikiFromDocumentName($doc.fullName)) >> ## >> #if ($action && ($action == "create") && $domain >> && ($domain.trim().length() > 0)) >> - #if (!$wiki.containsWikiAlias($domain)) >> + #if >> (!${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> + #error($msg.get("notallowed")) >> + #elseif (!$wiki.containsWikiAlias($domain)) >> #set ($alias = $wiki.newObject("XWiki.XWikiServerClass")) >> $alias.set("server", $domain) >> $alias.set("homepage", "Main.WebHome") >> @@ -47,7 +49,9 @@ >> #end >> ## >> #if ($action && ($action == "delete") && $domain >> && ($domain.trim().length() > 0)) >> - #if ($wiki.containsWikiAlias($domain)) >> + #if >> (!${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) >> + #error($msg.get("notallowed")) >> + #elseif ($wiki.containsWikiAlias($domain)) >> #set ($alias = $wiki.getWikiAlias($domain)) >> #set ($removed = $wiki.removeObject($alias.objectApi)) >> $wiki.save() >> >> _______________________________________________ >> notifications mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/notifications >> > > > > -- > Thomas Mortagne > -- Thomas Mortagne _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
