Ard Schrijvers pushed to branch release/3.2 at cms-community / hippo-cms
Commits: ef417a69 by Ard Schrijvers at 2016-05-24T09:48:34+02:00 CMS-10121 [Backport 3.2] improve logging of CsrfPreventionRequestCycleListener In case the request host does not match the origin host, we now log more debug info (cherry picked from commit 0904fd9d567a4d51af275de475e5f140a99bb12e) - - - - - e0d8f113 by Ard Schrijvers at 2016-05-24T09:49:09+02:00 CMS-10121 [Backport 3.2] more explicit logging in case the scheme does not match Typically this is caused because of running behind a proxy that delegates a https request to http. (cherry picked from commit e543da10595038b8fea82bec667a347a4e184c25) - - - - - 1 changed file: - engine/src/main/java/org/hippoecm/frontend/http/CsrfPreventionRequestCycleListener.java Changes: ===================================== engine/src/main/java/org/hippoecm/frontend/http/CsrfPreventionRequestCycleListener.java ===================================== --- a/engine/src/main/java/org/hippoecm/frontend/http/CsrfPreventionRequestCycleListener.java +++ b/engine/src/main/java/org/hippoecm/frontend/http/CsrfPreventionRequestCycleListener.java @@ -402,7 +402,8 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList // check if the origin HTTP header matches the request URI if (!isLocalOrigin(request, origin)) { - log.debug("Origin-header conflicts with request origin, {}", conflictingOriginAction); + log.info("Origin-header '{}' conflicts with request host '{}' : {}", + getOriginHeaderOrigin(origin), getLocationHeaderOrigin(request), conflictingOriginAction); switch (conflictingOriginAction) { case ALLOW : @@ -478,7 +479,12 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList if (request == null) return false; - return origin.equalsIgnoreCase(request); + final boolean isLocal = origin.equalsIgnoreCase(request); + if (!isLocal && originHeader.startsWith("https:") && !request.startsWith("https:")) { + log.warn("Origin starts with https: but request starts with http:. If you are running behind a proxy, make " + + "sure to set 'X-Forwarded-Proto: https' in the proxy"); + } + return isLocal; } /** @@ -533,6 +539,7 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList target.append(':'); target.append(port); } + log.debug("Origin : {}", target.toString()); return target.toString(); } catch (URISyntaxException e) @@ -556,12 +563,16 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList String host = request.getHeader("X-Forwarded-Host"); if (host != null) { String[] hosts = host.split(","); - return getFarthestRequestScheme(request) + "://" + hosts[0]; + final String location = getFarthestRequestScheme(request) + "://" + hosts[0]; + log.debug("X-Forwarded-Host header found. Return location '{}'", location); + return location; } host = request.getHeader("Host"); if (host != null && !"".equals(host)) { - return getFarthestRequestScheme(request) + "://" + host; + final String location = getFarthestRequestScheme(request) + "://" + host; + log.debug("Host header found. Return location '{}'", location); + return location; } // Build scheme://host:port from request @@ -591,7 +602,8 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList target.append(':'); target.append(port); } - + log.debug("Host '{}' from request.serverName is used because no 'Host' or 'X-Forwarded-Host' header found. " + + "Return location '{}'", target.toString()); return target.toString(); } @@ -684,8 +696,8 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList private void allowHandler(HttpServletRequest request, String origin, IRequestablePage page) { onAllowed(request, origin, page); - log.info("Possible CSRF attack, request URL: {}, Origin: {}, action: allowed", - request.getRequestURL(), origin); + log.info("Possible CSRF attack, client request location: {}, Origin: {}, action: allowed", + getLocationHeaderOrigin(request), origin); } /** @@ -719,8 +731,8 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList private void suppressHandler(HttpServletRequest request, String origin, IRequestablePage page) { onSuppressed(request, origin, page); - log.info("Possible CSRF attack, request URL: {}, Origin: {}, action: suppressed", - request.getRequestURL(), origin); + log.info("Possible CSRF attack, client request location: {}, Origin: {}, action: suppressed", + getLocationHeaderOrigin(request), origin); throw new RestartResponseException(page); } @@ -755,9 +767,8 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList private void abortHandler(HttpServletRequest request, String origin, IRequestablePage page) { onAborted(request, origin, page); - log.info( - "Possible CSRF attack, request URL: {}, Origin: {}, action: aborted with error {} {}", - new Object[] { request.getRequestURL(), origin, errorCode, errorMessage }); + log.info("Possible CSRF attack, client request location: {}, Origin: {}, action: aborted with error {} {}", + new Object[] {getLocationHeaderOrigin(request), origin, errorCode, errorMessage }); throw new AbortWithHttpErrorCodeException(errorCode, errorMessage); } View it on GitLab: https://code.onehippo.org/cms-community/hippo-cms/compare/a149166752b2c230c17079d4ecd60f5cccfeb799...e0d8f113b734140036b4ee80334b3111a7b21dbd
_______________________________________________ Hippocms-svn mailing list Hippocms-svn@lists.onehippo.org https://lists.onehippo.org/mailman/listinfo/hippocms-svn