23 Sep
2010
23 Sep
'10
8:36 a.m.
Hi Alex,
Couldn't we add the check in some Abstract<XXX>XWikiAction where <XXX>
qualifies actions that modify data in order to prevent code duplication and in order to
prevent forgetting to do the check when people add new actions (at least make it easier)?
Thanks
-Vincent
On Sep 22, 2010, at 11:00 PM, abusenius (SVN) wrote:
Author: abusenius
Date: 2010-09-22 23:00:46 +0200 (Wed, 22 Sep 2010)
New Revision: 31271
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/AbstractPropChangeAction.java
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/CommentAddAction.java
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteAction.java
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteAttachmentAction.java
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteVersionsAction.java
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ObjectAddAction.java
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ObjectRemoveAction.java
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/PropAddAction.java
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/PropUpdateAction.java
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/RegisterAction.java
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ResetVersionsAction.java
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/RollbackAction.java
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/SaveAction.java
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/SaveAndContinueAction.java
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/UndeleteAction.java
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/UploadAction.java
Log:
XWIKI-5464: Added CSRF checks to all actions that modify data
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/AbstractPropChangeAction.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/AbstractPropChangeAction.java 2010-09-22
21:00:42 UTC (rev 31270)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/AbstractPropChangeAction.java 2010-09-22
21:00:46 UTC (rev 31271)
@@ -55,6 +55,10 @@
BaseClass xclass = doc.getXClass();
if (propertyName != null && xclass.get(propertyName) != null) {
+ // CSRF prevention
+ if (!csrfTokenCheck(context)) {
+ return false;
+ }
changePropertyDefinition(xclass, propertyName, context);
} else {
return true;
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/CommentAddAction.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/CommentAddAction.java 2010-09-22
21:00:42 UTC (rev 31270)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/CommentAddAction.java 2010-09-22
21:00:46 UTC (rev 31271)
@@ -54,6 +54,11 @@
@Override
public boolean action(XWikiContext context) throws XWikiException
{
+ // CSRF prevention
+ if (!csrfTokenCheck(context)) {
+ return false;
+ }
+
XWiki xwiki = context.getWiki();
XWikiResponse response = context.getResponse();
XWikiDocument doc = context.getDoc();
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteAction.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteAction.java 2010-09-22
21:00:42 UTC (rev 31270)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteAction.java 2010-09-22
21:00:46 UTC (rev 31271)
@@ -55,6 +55,10 @@
if (!"1".equals(request.getParameter(CONFIRM_PARAM))) {
return true;
}
+ // CSRF prevention
+ if (!csrfTokenCheck(context)) {
+ return false;
+ }
String sindex = request.getParameter("id");
if (sindex != null && xwiki.hasRecycleBin(context)) {
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteAttachmentAction.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteAttachmentAction.java 2010-09-22
21:00:42 UTC (rev 31270)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteAttachmentAction.java 2010-09-22
21:00:46 UTC (rev 31271)
@@ -46,6 +46,11 @@
@Override
public boolean action(XWikiContext context) throws XWikiException
{
+ // CSRF prevention
+ if (!csrfTokenCheck(context)) {
+ return false;
+ }
+
XWikiRequest request = context.getRequest();
XWikiResponse response = context.getResponse();
XWikiDocument doc = context.getDoc();
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteVersionsAction.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteVersionsAction.java 2010-09-22
21:00:42 UTC (rev 31270)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/DeleteVersionsAction.java 2010-09-22
21:00:46 UTC (rev 31271)
@@ -40,21 +40,24 @@
@Override
public boolean action(XWikiContext context) throws XWikiException
{
+ // CSRF prevention
+ if (!csrfTokenCheck(context)) {
+ return false;
+ }
+
DeleteVersionsForm form = (DeleteVersionsForm) context.getForm();
-
if (!form.isConfirmed()) {
return true;
}
Version v1;
Version v2;
- Version rev = form.getRev();
- if (rev == null) {
+ if (form.getRev() == null) {
v1 = form.getRev1();
v2 = form.getRev2();
} else {
- v1 = rev;
- v2 = rev;
+ v1 = form.getRev();
+ v2 = form.getRev();
}
if (v1 != null && v2 != null) {
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ObjectAddAction.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ObjectAddAction.java 2010-09-22
21:00:42 UTC (rev 31270)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ObjectAddAction.java 2010-09-22
21:00:46 UTC (rev 31271)
@@ -39,6 +39,11 @@
@Override
public boolean action(XWikiContext context) throws XWikiException
{
+ // CSRF prevention
+ if (!csrfTokenCheck(context)) {
+ return false;
+ }
+
XWiki xwiki = context.getWiki();
XWikiResponse response = context.getResponse();
String username = context.getUser();
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ObjectRemoveAction.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ObjectRemoveAction.java 2010-09-22
21:00:42 UTC (rev 31270)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ObjectRemoveAction.java 2010-09-22
21:00:46 UTC (rev 31271)
@@ -66,6 +66,11 @@
@Override
public boolean action(XWikiContext context) throws XWikiException
{
+ // CSRF prevention
+ if (!csrfTokenCheck(context)) {
+ return false;
+ }
+
XWiki xwiki = context.getWiki();
XWikiResponse response = context.getResponse();
String username = context.getUser();
@@ -74,6 +79,7 @@
if (obj == null) {
return true;
}
+
doc.removeObject(obj);
doc.setAuthor(username);
xwiki.saveDocument(doc,
context.getMessageTool().get("core.comment.deleteObject"), true, context);
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/PropAddAction.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/PropAddAction.java 2010-09-22
21:00:42 UTC (rev 31270)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/PropAddAction.java 2010-09-22
21:00:46 UTC (rev 31271)
@@ -37,6 +37,11 @@
@Override
public boolean action(XWikiContext context) throws XWikiException
{
+ // CSRF prevention
+ if (!csrfTokenCheck(context)) {
+ return false;
+ }
+
XWiki xwiki = context.getWiki();
XWikiResponse response = context.getResponse();
XWikiDocument doc = context.getDoc();
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/PropUpdateAction.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/PropUpdateAction.java 2010-09-22
21:00:42 UTC (rev 31270)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/PropUpdateAction.java 2010-09-22
21:00:46 UTC (rev 31271)
@@ -105,6 +105,11 @@
@Override
public boolean action(XWikiContext context) throws XWikiException
{
+ // CSRF prevention
+ if (!csrfTokenCheck(context)) {
+ return false;
+ }
+
try {
if (propUpdate(context)) {
return true;
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/RegisterAction.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/RegisterAction.java 2010-09-22
21:00:42 UTC (rev 31270)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/RegisterAction.java 2010-09-22
21:00:46 UTC (rev 31271)
@@ -50,6 +50,11 @@
String register = request.getParameter(REGISTER);
if (register != null && register.equals("1")) {
+ // CSRF prevention
+ if (!csrfTokenCheck(context)) {
+ return false;
+ }
+
int useemail =
xwiki.getXWikiPreferenceAsInt("use_email_verification", 0, context);
int result;
if (useemail == 1) {
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ResetVersionsAction.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ResetVersionsAction.java 2010-09-22
21:00:42 UTC (rev 31270)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/ResetVersionsAction.java 2010-09-22
21:00:46 UTC (rev 31271)
@@ -17,6 +17,11 @@
String confirm = request.getParameter("confirm");
if ((confirm != null) && (confirm.equals("1"))) {
+ // CSRF prevention
+ if (!csrfTokenCheck(context)) {
+ return false;
+ }
+
XWikiDocument tdoc = getTranslatedDocument(doc, language, context);
// Do it
tdoc.resetArchive(context);
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/RollbackAction.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/RollbackAction.java 2010-09-22
21:00:42 UTC (rev 31270)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/RollbackAction.java 2010-09-22
21:00:46 UTC (rev 31271)
@@ -30,6 +30,11 @@
@Override
public boolean action(XWikiContext context) throws XWikiException
{
+ // CSRF prevention
+ if (!csrfTokenCheck(context)) {
+ return false;
+ }
+
XWiki xwiki = context.getWiki();
XWikiResponse response = context.getResponse();
XWikiDocument doc = context.getDoc();
Modified: platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/SaveAction.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/SaveAction.java 2010-09-22
21:00:42 UTC (rev 31270)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/SaveAction.java 2010-09-22
21:00:46 UTC (rev 31271)
@@ -176,6 +176,11 @@
@Override
public boolean action(XWikiContext context) throws XWikiException
{
+ // CSRF prevention
+ if (!csrfTokenCheck(context)) {
+ return false;
+ }
+
if (save(context)) {
return true;
}
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/SaveAndContinueAction.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/SaveAndContinueAction.java 2010-09-22
21:00:42 UTC (rev 31270)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/SaveAndContinueAction.java 2010-09-22
21:00:46 UTC (rev 31271)
@@ -43,6 +43,11 @@
*/
@Override
public boolean action(XWikiContext context) throws XWikiException {
+ // CSRF prevention
+ if (!csrfTokenCheck(context)) {
+ return false;
+ }
+
// Try to find the URL of the edit page which we came from
String back = findBackURL(context);
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/UndeleteAction.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/UndeleteAction.java 2010-09-22
21:00:42 UTC (rev 31270)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/UndeleteAction.java 2010-09-22
21:00:46 UTC (rev 31271)
@@ -42,6 +42,11 @@
@Override
public boolean action(XWikiContext context) throws XWikiException
{
+ // CSRF prevention
+ if (!csrfTokenCheck(context)) {
+ return false;
+ }
+
XWiki xwiki = context.getWiki();
XWikiRequest request = context.getRequest();
XWikiResponse response = context.getResponse();
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/UploadAction.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/UploadAction.java 2010-09-22
21:00:42 UTC (rev 31270)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/web/UploadAction.java 2010-09-22
21:00:46 UTC (rev 31271)
@@ -80,6 +80,11 @@
}
}
+ // CSRF prevention
+ if (!csrfTokenCheck(context)) {
+ return false;
+ }
+
XWikiDocument doc = (XWikiDocument) context.getDoc().clone();
// The document is saved for each attachment in the group.