Ard Schrijvers pushed to branch release/2.24 at cms-community / hippo-cms
Commits: 29e11691 by Ard Schrijvers at 2016-05-24T10:44:35+02:00 CMS-10124 improve logging feed back for csrf - - - - - 1 changed file: - engine/src/main/java/org/hippoecm/frontend/http/CsrfPreventionWebRequestCycle.java Changes: ===================================== engine/src/main/java/org/hippoecm/frontend/http/CsrfPreventionWebRequestCycle.java ===================================== --- a/engine/src/main/java/org/hippoecm/frontend/http/CsrfPreventionWebRequestCycle.java +++ b/engine/src/main/java/org/hippoecm/frontend/http/CsrfPreventionWebRequestCycle.java @@ -80,8 +80,16 @@ public class CsrfPreventionWebRequestCycle extends WebRequestCycle { } if (!isLocalOrigin(httpServletRequest, origin)) { - log.info("Possible CSRF attack, request URL: {}, Origin: {}, action: aborted with error {} {}", - new Object[] { httpServletRequest.getRequestURL(), origin, errorCode, errorMessage }); + + final String originLocation = getOriginHeaderOrigin(origin); + final String requestLocation = getLocationHeaderOrigin(httpServletRequest); + if (originLocation != null && requestLocation != null + && getOriginHeaderOrigin(origin).startsWith("https:") && !requestLocation.startsWith("https:")) { + log.warn("Origin starts with https: but request starts with http:. If you are running behind a proxy, make " + + "sure to set 'X-Forwarded-Proto: https' in the proxy"); + } + log.info("Possible CSRF attack, client request location: {}, Origin: {}, action: aborted with error {} {}", + new Object[] { requestLocation, originLocation, errorCode, errorMessage }); throw new AbortWithWebErrorCodeException(errorCode, errorMessage); } super.onBeginRequest(); @@ -186,6 +194,7 @@ public class CsrfPreventionWebRequestCycle extends WebRequestCycle { target.append(':'); target.append(port); } + log.debug("Origin : {}", target.toString()); return target.toString(); } catch (URISyntaxException e) { log.debug("Invalid Origin header provided: {}, marked conflicting", origin); @@ -205,12 +214,16 @@ public class CsrfPreventionWebRequestCycle extends WebRequestCycle { String host = request.getHeader("X-Forwarded-Host"); if (host != null) { String[] hosts = host.split(","); - return getFarthestRequestScheme(request) + "://" + hosts[0]; + final String location = getFarthestRequestScheme(request) + "://" + hosts[0]; + log.debug("X-Forwarded-Host header found. Return location '{}'", location); + return location; } host = request.getHeader("Host"); if (host != null && !"".equals(host)) { - return getFarthestRequestScheme(request) + "://" + host; + final String location = getFarthestRequestScheme(request) + "://" + host; + log.debug("Host header found. Return location '{}'", location); + return location; } // Build scheme://host:port from request @@ -235,7 +248,8 @@ public class CsrfPreventionWebRequestCycle extends WebRequestCycle { target.append(':'); target.append(port); } - + log.debug("Host '{}' from request.serverName is used because no 'Host' or 'X-Forwarded-Host' header found. " + + "Return location '{}'", target.toString()); return target.toString(); } View it on GitLab: https://code.onehippo.org/cms-community/hippo-cms/commit/29e116910e378c36fe6f5fd706990404cb3227d6
_______________________________________________ Hippocms-svn mailing list Hippocms-svn@lists.onehippo.org https://lists.onehippo.org/mailman/listinfo/hippocms-svn