ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF
Date Sat, 02 Jun 2018 10:09:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16498968#comment-16498968
] 

Jacques Le Roux commented on OFBIZ-10427:
-----------------------------------------

I have recently worked again on this topic, trying to set the Tomcat CSRF filter. I did not
succeed yet and here are some causes.

As said in the documentation
{quote}This filter provides basic CSRF protection for a web application. The filter assumes
that it is mapped to /* and that all URLs returned to the client are encoded via a call to
HttpServletResponse#encodeRedirectURL(String) or HttpServletResponse#encodeURL(String).
{quote}
So I initially used the simplest web.xml configuration in webtools only, w/o <init-param>
putting <filter> and <filter-mapping> at last position.
{code:java}
    <filter>
        <display-name>CSRFPreventionFilter</display-name>
        <filter-name>CSRFPreventionFilter</filter-name>
        <filter-class&gt;org.apache.catalina.filters.CsrfPreventionFilter</filter-class&gt;
    </filter>
    <filter-mapping>
        <filter-name>CSRFPreventionFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
{code}
And I checked we are encoding as requested. It' s not the case so I did these changes to only
test:
{code:java}
Index: ControlFilter.java
===================================================================
--- ControlFilter.java	(revision 1832691)
+++ ControlFilter.java	(working copy)
@@ -111,10 +111,11 @@
             if (httpRequest.getSession().getAttribute("_FORCE_REDIRECT_") == null) {
                 httpRequest.getSession().setAttribute("_FORCE_REDIRECT_", "true");
                 Debug.logWarning("Redirecting user to: " + redirectPath, module);
+
                 if (redirectPathIsUrl) {
-                    httpResponse.sendRedirect(redirectPath);
+                    httpResponse.sendRedirect(((HttpServletResponse) response).encodeRedirectURL(redirectPath));
                 } else {
-                    httpResponse.sendRedirect(httpRequest.getContextPath() + redirectPath);
+                    httpResponse.sendRedirect(((HttpServletResponse) response).encodeRedirectURL(httpRequest.getContextPath()
+ redirectPath));
                 }
                 return;
             } else {
@@ -143,9 +144,9 @@
                         httpResponse.sendError(errorCode, httpRequest.getRequestURI());
                     } else {
                         if (redirectPathIsUrl) {
-                            httpResponse.sendRedirect(redirectPath);
+                            httpResponse.sendRedirect(((HttpServletResponse) response).encodeRedirectURL(redirectPath));
                         } else {
-                            httpResponse.sendRedirect(httpRequest.getContextPath() + redirectPath);
+                            httpResponse.sendRedirect(((HttpServletResponse) response).encodeRedirectURL(httpRequest.getContextPath()
+ redirectPath));
                         }
                     }
                     if (Debug.infoOn()) {
Index: RequestHandler.java
===================================================================
--- RequestHandler.java	(revision 1832691)
+++ RequestHandler.java	(working copy)
@@ -1180,7 +1180,7 @@
         newURL.append(url);

         String encodedUrl;
-        if (encode) {
+        if (true) {
             encodedUrl = response.encodeURL(newURL.toString());
         } else {
             encodedUrl = newURL.toString();
{code}
with no avail. I always got a 403:
{code:java}
HTTP Status 403 | Forbidden
Type Status Report
Description The server understood the request but refuses to authorize it.
Apache Tomcat/9.0.7
{code}
So I tried to put the filter at the top, same issue. Then I began to add entryPoints in <init-param>,
knowing that they don't support wildcards (so in a way it's quite limited). The last set I
tried was
{code:java}
    <param-name>entryPoints</param-name>
    <param-value>/catalog/control/main,/webtools/control/main,/webtools/control/login</param-value>
{code}
I put _/catalog/control/main_ because I initially tried to come from there. I then tried manually
_/webtools/control/login_ and _/webtools/control/main_ same issue.


 Desesperately I then set a huge nonceCacheSize (every call create a nonce, for instance js,
css, img, etc.) and if one of them it's OK then it's OK (not totally sure of that, but anyway
with a large cache more is allowed)
{code:java}
    <param-name>nonceCacheSize</param-name>
    <param-value>100</param-value>
{code}
Still no success.

I stopped there for now but I'll continue to try if a way is possible. I think the best would
be to adapt the CsrfPreventionFilter class to our need. I did not look at the source in detail
yet, let's see...

> Add a mean to handle CSRF
> -------------------------
>
>                 Key: OFBIZ-10427
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10427
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Minor
>
> I already worked on that in OFBiz but without success so far: https://markmail.org/message/r245yie623cdo3wz)
> The tracks I explored are:
> * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really not simple
in OFBiz)
> * https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction
(I think preferred)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message