This is an automated email from the ASF dual-hosted git repository. juanpablo pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 70eeaba88fec0c4fc325ff9bc8efcc09b850c13d Author: Juan Pablo Santos RodrÃguez <juanpablo.san...@gmail.com> AuthorDate: Wed Jul 20 16:47:01 2022 +0200 Bring explicit CSRF protection to user management JSPs --- jspwiki-war/src/main/webapp/Login.jsp | 8 +++++++- jspwiki-war/src/main/webapp/UserPreferences.jsp | 12 +++++++----- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/jspwiki-war/src/main/webapp/Login.jsp b/jspwiki-war/src/main/webapp/Login.jsp index 02c55e8af..001651149 100644 --- a/jspwiki-war/src/main/webapp/Login.jsp +++ b/jspwiki-war/src/main/webapp/Login.jsp @@ -28,6 +28,7 @@ <%@ page import="org.apache.wiki.auth.login.CookieAuthenticationLoginModule" %> <%@ page import="org.apache.wiki.auth.user.DuplicateUserException" %> <%@ page import="org.apache.wiki.auth.user.UserProfile" %> +<%@ page import="org.apache.wiki.http.filter.CsrfProtectionFilter" %> <%@ page import="org.apache.wiki.i18n.InternationalizationManager" %> <%@ page import="org.apache.wiki.pages.PageManager" %> <%@ page import="org.apache.wiki.preferences.Preferences" %> @@ -53,7 +54,12 @@ } // Are we saving the profile? - if( "saveProfile".equals(request.getParameter("action")) ) { + if( "saveProfile".equals( request.getParameter( "action" ) ) ) { + if( !CsrfProtectionFilter.isCsrfProtectedPost( request ) ) { + response.sendRedirect( "/error/Forbidden.html" ); + return; + } + UserManager userMgr = wiki.getManager( UserManager.class ); UserProfile profile = userMgr.parseProfile( wikiContext ); diff --git a/jspwiki-war/src/main/webapp/UserPreferences.jsp b/jspwiki-war/src/main/webapp/UserPreferences.jsp index b4e0fe224..20347ee3e 100644 --- a/jspwiki-war/src/main/webapp/UserPreferences.jsp +++ b/jspwiki-war/src/main/webapp/UserPreferences.jsp @@ -30,6 +30,7 @@ <%@ page import="org.apache.wiki.auth.login.CookieAssertionLoginModule" %> <%@ page import="org.apache.wiki.auth.user.DuplicateUserException" %> <%@ page import="org.apache.wiki.auth.user.UserProfile" %> +<%@ page import="org.apache.wiki.http.filter.CsrfProtectionFilter" %> <%@ page import="org.apache.wiki.i18n.InternationalizationManager" %> <%@ page import="org.apache.wiki.pages.PageManager" %> <%@ page import="org.apache.wiki.preferences.Preferences" %> @@ -65,6 +66,10 @@ // Are we saving the profile? if( "saveProfile".equals( request.getParameter( "action" ) ) ) { + if( !CsrfProtectionFilter.isCsrfProtectedPost( request ) ) { + response.sendRedirect( "/error/Forbidden.html" ); + return; + } UserProfile profile = userMgr.parseProfile( wikiContext ); // Validate the profile @@ -110,8 +115,7 @@ CookieAssertionLoginModule.setUserCookie( response, assertedName ); String redirectPage = request.getParameter( "redirect" ); - if( !wiki.getManager( PageManager.class ).wikiPageExists( redirectPage ) ) - { + if( !wiki.getManager( PageManager.class ).wikiPageExists( redirectPage ) ) { redirectPage = wiki.getFrontPage(); } String viewUrl = ( "UserPreferences".equals( redirectPage ) ) ? "Wiki.jsp" : wikiContext.getViewURL( redirectPage ); @@ -126,8 +130,7 @@ Preferences.reloadPreferences( pageContext ); String redirectPage = request.getParameter( "redirect" ); - if( !wiki.getManager( PageManager.class ).wikiPageExists( redirectPage ) ) - { + if( !wiki.getManager( PageManager.class ).wikiPageExists( redirectPage ) ) { redirectPage = wiki.getFrontPage(); } String viewUrl = ( "UserPreferences".equals( redirectPage ) ) ? "Wiki.jsp" : wikiContext.getViewURL( redirectPage ); @@ -139,4 +142,3 @@ response.setContentType( "text/html; charset=" + wiki.getContentEncoding() ); String contentPage = wiki.getManager( TemplateManager.class ).findJSP( pageContext, wikiContext.getTemplate(), "ViewTemplate.jsp" ); %><wiki:Include page="<%=contentPage%>" /> -