Ard Schrijvers pushed to branch release/2.26 at cms-community / hippo-cms
Commits:
c4a11db4 by Ard Schrijvers at 2016-05-24T09:51:57+02:00
CMS-10123 [Backport 7.9] improve logging of CsrfPreventionRequestCycleListener
In case the request host does not match the origin host, we now
log more debug info
(cherry picked from commit 0904fd9d567a4d51af275de475e5f140a99bb12e)
- - - - -
153abb8a by Ard Schrijvers at 2016-05-24T09:52:14+02:00
CMS-10123 [Backport 7.9] more explicit logging in case the scheme does not match
Typically this is caused because of running behind a proxy that delegates a
https
request to http.
(cherry picked from commit e543da10595038b8fea82bec667a347a4e184c25)
- - - - -
1 changed file:
-
engine/src/main/java/org/hippoecm/frontend/http/CsrfPreventionRequestCycleListener.java
Changes:
=====================================
engine/src/main/java/org/hippoecm/frontend/http/CsrfPreventionRequestCycleListener.java
=====================================
---
a/engine/src/main/java/org/hippoecm/frontend/http/CsrfPreventionRequestCycleListener.java
+++
b/engine/src/main/java/org/hippoecm/frontend/http/CsrfPreventionRequestCycleListener.java
@@ -402,7 +402,8 @@ public class CsrfPreventionRequestCycleListener extends
AbstractRequestCycleList
// check if the origin HTTP header matches the request URI
if (!isLocalOrigin(request, origin))
{
- log.debug("Origin-header conflicts with request origin, {}",
conflictingOriginAction);
+ log.info("Origin-header '{}' conflicts with request host '{}' :
{}",
+ getOriginHeaderOrigin(origin),
getLocationHeaderOrigin(request), conflictingOriginAction);
switch (conflictingOriginAction)
{
case ALLOW :
@@ -478,7 +479,12 @@ public class CsrfPreventionRequestCycleListener extends
AbstractRequestCycleList
if (request == null)
return false;
- return origin.equalsIgnoreCase(request);
+ final boolean isLocal = origin.equalsIgnoreCase(request);
+ if (!isLocal && originHeader.startsWith("https:") &&
!request.startsWith("https:")) {
+ log.warn("Origin starts with https: but request starts with http:.
If you are running behind a proxy, make " +
+ "sure to set 'X-Forwarded-Proto: https' in the proxy");
+ }
+ return isLocal;
}
/**
@@ -533,6 +539,7 @@ public class CsrfPreventionRequestCycleListener extends
AbstractRequestCycleList
target.append(':');
target.append(port);
}
+ log.debug("Origin : {}", target.toString());
return target.toString();
}
catch (URISyntaxException e)
@@ -556,12 +563,16 @@ public class CsrfPreventionRequestCycleListener extends
AbstractRequestCycleList
String host = request.getHeader("X-Forwarded-Host");
if (host != null) {
String[] hosts = host.split(",");
- return getFarthestRequestScheme(request) + "://" + hosts[0];
+ final String location = getFarthestRequestScheme(request) + "://"
+ hosts[0];
+ log.debug("X-Forwarded-Host header found. Return location '{}'",
location);
+ return location;
}
host = request.getHeader("Host");
if (host != null && !"".equals(host)) {
- return getFarthestRequestScheme(request) + "://" + host;
+ final String location = getFarthestRequestScheme(request) + "://"
+ host;
+ log.debug("Host header found. Return location '{}'", location);
+ return location;
}
// Build scheme://host:port from request
@@ -591,7 +602,8 @@ public class CsrfPreventionRequestCycleListener extends
AbstractRequestCycleList
target.append(':');
target.append(port);
}
-
+ log.debug("Host '{}' from request.serverName is used because no 'Host'
or 'X-Forwarded-Host' header found. " +
+ "Return location '{}'", target.toString());
return target.toString();
}
@@ -684,8 +696,8 @@ public class CsrfPreventionRequestCycleListener extends
AbstractRequestCycleList
private void allowHandler(HttpServletRequest request, String origin,
IRequestablePage page)
{
onAllowed(request, origin, page);
- log.info("Possible CSRF attack, request URL: {}, Origin: {}, action:
allowed",
- request.getRequestURL(), origin);
+ log.info("Possible CSRF attack, client request location: {}, Origin:
{}, action: allowed",
+ getLocationHeaderOrigin(request), origin);
}
/**
@@ -719,8 +731,8 @@ public class CsrfPreventionRequestCycleListener extends
AbstractRequestCycleList
private void suppressHandler(HttpServletRequest request, String origin,
IRequestablePage page)
{
onSuppressed(request, origin, page);
- log.info("Possible CSRF attack, request URL: {}, Origin: {}, action:
suppressed",
- request.getRequestURL(), origin);
+ log.info("Possible CSRF attack, client request location: {}, Origin:
{}, action: suppressed",
+ getLocationHeaderOrigin(request), origin);
throw new RestartResponseException(page);
}
@@ -755,9 +767,8 @@ public class CsrfPreventionRequestCycleListener extends
AbstractRequestCycleList
private void abortHandler(HttpServletRequest request, String origin,
IRequestablePage page)
{
onAborted(request, origin, page);
- log.info(
- "Possible CSRF attack, request URL: {}, Origin: {}, action:
aborted with error {} {}",
- new Object[] { request.getRequestURL(), origin, errorCode,
errorMessage });
+ log.info("Possible CSRF attack, client request location: {}, Origin:
{}, action: aborted with error {} {}",
+ new Object[] {getLocationHeaderOrigin(request), origin,
errorCode, errorMessage });
throw new AbortWithHttpErrorCodeException(errorCode, errorMessage);
}
View it on GitLab:
https://code.onehippo.org/cms-community/hippo-cms/compare/b8b822d3f9e09574131a58b757dec67b9de72f98...153abb8a0b21e5aec633a8d5fe31c131f5aad8cc
_______________________________________________
Hippocms-svn mailing list
Hippocms-svn@lists.onehippo.org
https://lists.onehippo.org/mailman/listinfo/hippocms-svn
