You just broke pretty much all applications for stable
branch...
On Wed, Sep 22, 2010 at 03:44, abusenius
<platform-notifications(a)xwiki.org> wrote:
Author: abusenius
Date: 2010-09-22 03:44:29 +0200 (Wed, 22 Sep 2010)
New Revision: 31216
Modified:
platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml
platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml
platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml
platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml
platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml
platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml
platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml
platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml
platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml
platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml
platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml
Log:
XWIKI-5463: Checking for CSRF tokens in applications
Modified:
platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml
===================================================================
---
platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml
2010-09-22 01:44:21 UTC (rev 31215)
+++
platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml
2010-09-22 01:44:29 UTC (rev 31216)
@@ -686,11 +686,16 @@
* @param $doAfterRegistration code block to run after registration completes
successfully.
*###
#macro(createUser, $fields, $request, $response, $doAfterRegistration)
- ## See if email verification is required and register the user.
- #if($xwiki.getXWikiPreferenceAsInt('use_email_verification', 0) == 1)
- #set($reg = $xwiki.createUser(true))
+ ## CSRF check
+
#if(${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
+ ## See if email verification is required and register the user.
+ #if($xwiki.getXWikiPreferenceAsInt('use_email_verification', 0) == 1)
+ #set($reg = $xwiki.createUser(true))
+ #else
+ #set($reg = $xwiki.createUser(false))
+ #end
#else
- #set($reg = $xwiki.createUser(false))
+ $response.sendRedirect("$!{services.csrf.getResubmissionURL()}")
#end
##
## Handle output from the registration.
Modified:
platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml
===================================================================
--- platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml
2010-09-22 01:44:21 UTC (rev 31215)
+++ platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml
2010-09-22 01:44:29 UTC (rev 31216)
@@ -397,7 +397,7 @@
#end
#set($query = "${query}obj.name = doc.fullName and obj.className =
'${blogCategoryClassname}' and doc.fullName <>
'Blog.CategoryTemplate' and doc.parent = ? order by doc.name")
#foreach($item in $xwiki.searchDocuments($query, $parameterValues))
- #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item))
+ #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) &&
$!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
#set($subcategoryDoc = $xwiki.getDocument($item))
$subcategoryDoc.setParent($categoryParent)
$subcategoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedParent'),
true)
@@ -409,7 +409,7 @@
#end
#set($query = "${query}obj.name = doc.fullName and obj.className =
'${blogPostClassname}' and doc.fullName <>
'Blog.BlogPostTemplate' and categories.id.id = obj.id and categories.id.name =
'category' and category = ? order by doc.name")
#foreach($item in $xwiki.searchDocuments($query, $parameterValues))
- #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item))
+ #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) &&
$!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
#set($blogEntryDoc = $xwiki.getDocument($item))
#set($discard =
$blogEntryDoc.getObject(${blogPostClassname}).getProperty('category').value.remove($category))
$blogEntryDoc.save($msg.get('xe.blog.manageCategories.comment.removedDeletedCategory'),
true)
@@ -433,7 +433,7 @@
#set($query = ', BaseObject obj where ')
#set($query = "${query}obj.name = doc.fullName and obj.className =
'${blogCategoryClassname}' and doc.fullName <>
'Blog.CategoryTemplate' and doc.parent = ? order by doc.name")
#foreach($item in $xwiki.searchDocuments($query, $parameterValues))
- #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item))
+ #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) &&
$!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
#set($subcategoryDoc = $xwiki.getDocument($item))
$subcategoryDoc.setParent($newCategoryDoc.fullName)
$subcategoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedParent'),
true)
@@ -442,16 +442,18 @@
#set($query = ', BaseObject obj, DBStringListProperty categories join
categories.list as category where ')
#set($query = "${query}obj.name = doc.fullName and obj.className =
'${blogPostClassname}' and doc.fullName <>
'Blog.BlogPostTemplate' and categories.id.id = obj.id and categories.id.name =
'category' and category = ? order by doc.name")
#foreach($item in $xwiki.searchDocuments($query, $parameterValues))
- #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item))
+ #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) &&
$!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
#set($blogEntryDoc = $xwiki.getDocument($item))
#set($discard =
$blogEntryDoc.getObject(${blogPostClassname}).getProperty('category').value.remove($category))
#set($discard =
$blogEntryDoc.getObject(${blogPostClassname}).getProperty('category').value.add($newCategoryDoc.fullName))
$blogEntryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedRenamedCategory'),
true)
#end
#end
- $categoryDoc.getObject('Blog.CategoryClass').set('name',
$newCategoryName)
-
$categoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedCategory'),
true)
- $categoryDoc.rename($newCategoryName)
+ #if
($!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
+ $categoryDoc.getObject('Blog.CategoryClass').set('name',
$newCategoryName)
+
$categoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedCategory'),
true)
+ $categoryDoc.rename($newCategoryName)
+ #end
#end
{{/velocity}}</content>
</xwikidoc>
Modified: platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml
===================================================================
--- platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml
2010-09-22 01:44:21 UTC (rev 31215)
+++ platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml
2010-09-22 01:44:29 UTC (rev 31216)
@@ -24,7 +24,7 @@
<syntaxId>xwiki/2.0</syntaxId>
<hidden>true</hidden>
<content>{{velocity filter="none"}}
-#if($request.migrate)
+#if($request.migrate &&
$!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
#set($newContent = '#includeForm("Blog.BlogPostSheet")')
#set($query = ", BaseObject obj where obj.name = doc.fullName and obj.className =
'XWiki.ArticleClass'")
#foreach($article in $xwiki.searchDocuments($query))
Modified: platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml
===================================================================
--- platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml
2010-09-22 01:44:21 UTC (rev 31215)
+++ platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml
2010-09-22 01:44:29 UTC (rev 31216)
@@ -32,7 +32,7 @@
#end
#set($entryName = "$!{request.entryName}")
#if($entryName != '')
- #if($xwiki.hasAccessLevel('edit', $xcontext.user, $entryName))
+ #if($xwiki.hasAccessLevel('edit', $xcontext.user, $entryName)
&&
$!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
#set($entryDoc = $xwiki.getDocument($entryName))
#if ($entryDoc)
#getEntryObject($entryDoc $entryObj)
Modified:
platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml
===================================================================
---
platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml
2010-09-22 01:44:21 UTC (rev 31215)
+++
platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml
2010-09-22 01:44:29 UTC (rev 31216)
@@ -223,7 +223,7 @@
{{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.accept.alreadyReportedAsSpam'){{/error}}
#elseif($status != 'pending')
{{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.invalidStatus',
["#messageStatusForCode($status)"]){{/error}}
- #else
+ #elseif($confirm &&
${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
#if("#canGuestAcceptInvitation($doc)" != 'true')
##
{{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.accept.improperConfiguration'){{/error}}
@@ -235,6 +235,9 @@
#set($invited = true)
{{include document="XWiki.Registration"/}}
#end
+ #else
+ ## CSRF protection
+ $response.sendRedirect("$!{services.csrf.getResubmissionURL()}")
#end
#elseif($action == 'decline')
## Decline Invitation
<------------------------------------------------------------------------
@@ -261,7 +264,7 @@
{{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.decline.alreadyReportedAsSpam'){{/error}}
#elseif($status != 'pending')
{{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.invalidStatus',
["#messageStatusForCode($status)"]){{/error}}
- #elseif($confirm)
+ #elseif($confirm &&
${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
#setMessageStatus($message, 'declined', $memo)##
$emailContainer.saveAsAuthor($msg.get('xe.invitation.doAction.decline.saveComment'))
{{info}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.decline.success'){{/info}}
@@ -280,7 +283,7 @@
#if("$!message" == '')
## No message found by that id.
{{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.reportSpam.noMessageFound'){{/error}}
- #elseif($confirm)
+ #elseif($confirm &&
${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
#setMessageStatus($message, 'reported', $memo)##
$emailContainer.saveAsAuthor($msg.get('xe.invitation.doAction.reportSpam.reportSaveComment'))
## Your report has been logged, sorry for the inconvienence.
Modified:
platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml
===================================================================
---
platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml
2010-09-22 01:44:21 UTC (rev 31215)
+++
platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml
2010-09-22 01:44:29 UTC (rev 31216)
@@ -382,7 +382,7 @@
$msg.get('xe.invitation.doUserActionOnMultipleMessages.cancel.someMessagesNotFound',
[$mathtool.sub($messageIDs.size(), $messages.size()),
$messageIDs.size()]){{error}})))
#end
- #elseif($confirm)
+ #elseif($confirm &&
${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
## If the user accidently selected messages to which this action cannot be done,
just skip over them.
#set($changed = false)
#foreach($message in $messages)
@@ -435,7 +435,7 @@
$msg.get('xe.invitation.doUserActionOnMultipleMessages.noMessagesFound')
#end
{{/error}})))
- #elseif($confirm)
+ #elseif($confirm &&
${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
## If the user accidently selected messages to which this action cannot be done,
just skip over them.
#set($changed = false)
#foreach($message in $messages)
Modified:
platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml
===================================================================
---
platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml
2010-09-22 01:44:21 UTC (rev 31215)
+++
platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml
2010-09-22 01:44:29 UTC (rev 31216)
@@ -737,7 +737,9 @@
#set($messageBody = '')
#end
##
- #if("$!request.get('sendMail')" != '' &&
$request.getMethod().toLowerCase() == 'post')
+ #if("$!request.get('sendMail')" != ''
+ && $request.getMethod().toLowerCase() == 'post'
+ &&
${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
#generateAndSendMail($config,
$recipients,
$subjectLine,
Modified:
platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml
===================================================================
---
platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml
2010-09-22 01:44:21 UTC (rev 31215)
+++
platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml
2010-09-22 01:44:29 UTC (rev 31216)
@@ -281,7 +281,7 @@
#set($msgRestart=$msg.get("xe.officeimporter.openoffice.actions.restart"))
#set($msgUpdate=$msg.get("xe.officeimporter.openoffice.update"))
#set($msgLimitedControl=$msg.get("xe.officeimporter.openoffice.limitedcontrol"))
-#if($hasAdmin)
+#if($hasAdmin &&
${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
#set($currentAction = "$!{request.action}")
#if($currentAction == "stop")
#if(!$oomanager.stopServer())
Modified:
platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml
===================================================================
---
platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml
2010-09-22 01:44:21 UTC (rev 31215)
+++
platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml
2010-09-22 01:44:29 UTC (rev 31216)
@@ -547,7 +547,7 @@
#end
## Use the syntax and content received from the client, as the user might have made
some changes that are not on saved yet.
#set($void = $translatedDoc.setSyntaxId($oldSyntax))
- #if (!$translatedDoc.convertSyntax($newSyntaxId))
+ #if (!$translatedDoc.convertSyntax($newSyntaxId) ||
!${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
#set($error = true)
#else
#set($void = $translatedDoc.save("Document converted from syntax $oldSyntax to
syntax $newSyntaxId"))
Modified:
platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml
===================================================================
---
platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml
2010-09-22 01:44:21 UTC (rev 31215)
+++
platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml
2010-09-22 01:44:29 UTC (rev 31216)
@@ -34,7 +34,7 @@
##
## Check to see if the current user has admin rights on the current preferences
document.
##
-#if(!$xwiki.hasAccessLevel("admin", $xcontext.user, $prefsdocument))
+#if(!$xwiki.hasAccessLevel("admin", $xcontext.user, $prefsdocument) ||
!${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
#xwikimessageboxstart("$msg.get('panelwizard.placemanager')"
"")
$msg.get("panelwizard.notadmininplace", $place)
#xwikimessageboxend()
Modified:
platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml
===================================================================
---
platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml
2010-09-22 01:44:21 UTC (rev 31215)
+++
platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml
2010-09-22 01:44:29 UTC (rev 31216)
@@ -36,7 +36,9 @@
#set ($wiki = $WikiManager.getWikiFromDocumentName($doc.fullName))
##
#if ($action && ($action == "create") &&
$domain && ($domain.trim().length() > 0))
- #if (!$wiki.containsWikiAlias($domain))
+ #if
(!${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
+ #error($msg.get("notallowed"))
+ #elseif (!$wiki.containsWikiAlias($domain))
#set ($alias = $wiki.newObject("XWiki.XWikiServerClass"))
$alias.set("server", $domain)
$alias.set("homepage", "Main.WebHome")
@@ -47,7 +49,9 @@
#end
##
#if ($action && ($action == "delete") &&
$domain && ($domain.trim().length() > 0))
- #if ($wiki.containsWikiAlias($domain))
+ #if
(!${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")})
+ #error($msg.get("notallowed"))
+ #elseif ($wiki.containsWikiAlias($domain))
#set ($alias = $wiki.getWikiAlias($domain))
#set ($removed = $wiki.removeObject($alias.objectApi))
$wiki.save()
_______________________________________________
notifications mailing list
notifications(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/notifications