This is an automated email from the ASF dual-hosted git repository.
juanpablo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 70eeaba88fec0c4fc325ff9bc8efcc09b850c13d
Author: Juan Pablo Santos RodrÃguez <juanpablo.san...@gmail.com>
AuthorDate: Wed Jul 20 16:47:01 2022 +0200
Bring explicit CSRF protection to user management JSPs
---
jspwiki-war/src/main/webapp/Login.jsp | 8 +++++++-
jspwiki-war/src/main/webapp/UserPreferences.jsp | 12 +++++++-----
2 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/jspwiki-war/src/main/webapp/Login.jsp
b/jspwiki-war/src/main/webapp/Login.jsp
index 02c55e8af..001651149 100644
--- a/jspwiki-war/src/main/webapp/Login.jsp
+++ b/jspwiki-war/src/main/webapp/Login.jsp
@@ -28,6 +28,7 @@
<%@ page import="org.apache.wiki.auth.login.CookieAuthenticationLoginModule" %>
<%@ page import="org.apache.wiki.auth.user.DuplicateUserException" %>
<%@ page import="org.apache.wiki.auth.user.UserProfile" %>
+<%@ page import="org.apache.wiki.http.filter.CsrfProtectionFilter" %>
<%@ page import="org.apache.wiki.i18n.InternationalizationManager" %>
<%@ page import="org.apache.wiki.pages.PageManager" %>
<%@ page import="org.apache.wiki.preferences.Preferences" %>
@@ -53,7 +54,12 @@
}
// Are we saving the profile?
- if( "saveProfile".equals(request.getParameter("action")) ) {
+ if( "saveProfile".equals( request.getParameter( "action" ) ) ) {
+ if( !CsrfProtectionFilter.isCsrfProtectedPost( request ) ) {
+ response.sendRedirect( "/error/Forbidden.html" );
+ return;
+ }
+
UserManager userMgr = wiki.getManager( UserManager.class );
UserProfile profile = userMgr.parseProfile( wikiContext );
diff --git a/jspwiki-war/src/main/webapp/UserPreferences.jsp
b/jspwiki-war/src/main/webapp/UserPreferences.jsp
index b4e0fe224..20347ee3e 100644
--- a/jspwiki-war/src/main/webapp/UserPreferences.jsp
+++ b/jspwiki-war/src/main/webapp/UserPreferences.jsp
@@ -30,6 +30,7 @@
<%@ page import="org.apache.wiki.auth.login.CookieAssertionLoginModule" %>
<%@ page import="org.apache.wiki.auth.user.DuplicateUserException" %>
<%@ page import="org.apache.wiki.auth.user.UserProfile" %>
+<%@ page import="org.apache.wiki.http.filter.CsrfProtectionFilter" %>
<%@ page import="org.apache.wiki.i18n.InternationalizationManager" %>
<%@ page import="org.apache.wiki.pages.PageManager" %>
<%@ page import="org.apache.wiki.preferences.Preferences" %>
@@ -65,6 +66,10 @@
// Are we saving the profile?
if( "saveProfile".equals( request.getParameter( "action" ) ) ) {
+ if( !CsrfProtectionFilter.isCsrfProtectedPost( request ) ) {
+ response.sendRedirect( "/error/Forbidden.html" );
+ return;
+ }
UserProfile profile = userMgr.parseProfile( wikiContext );
// Validate the profile
@@ -110,8 +115,7 @@
CookieAssertionLoginModule.setUserCookie( response, assertedName );
String redirectPage = request.getParameter( "redirect" );
- if( !wiki.getManager( PageManager.class ).wikiPageExists( redirectPage
) )
- {
+ if( !wiki.getManager( PageManager.class ).wikiPageExists( redirectPage
) ) {
redirectPage = wiki.getFrontPage();
}
String viewUrl = ( "UserPreferences".equals( redirectPage ) ) ?
"Wiki.jsp" : wikiContext.getViewURL( redirectPage );
@@ -126,8 +130,7 @@
Preferences.reloadPreferences( pageContext );
String redirectPage = request.getParameter( "redirect" );
- if( !wiki.getManager( PageManager.class ).wikiPageExists( redirectPage
) )
- {
+ if( !wiki.getManager( PageManager.class ).wikiPageExists( redirectPage
) ) {
redirectPage = wiki.getFrontPage();
}
String viewUrl = ( "UserPreferences".equals( redirectPage ) ) ?
"Wiki.jsp" : wikiContext.getViewURL( redirectPage );
@@ -139,4 +142,3 @@
response.setContentType( "text/html; charset=" + wiki.getContentEncoding()
);
String contentPage = wiki.getManager( TemplateManager.class ).findJSP(
pageContext, wikiContext.getTemplate(), "ViewTemplate.jsp" );
%><wiki:Include page="<%=contentPage%>" />
-
