[xwiki-devs] [proposal] Add support for secet token verification

Alex Busenius the_unknown at gmx.net
Sun Mar 7 20:46:25 CET 2010


Hi,

I would like to add support for secret token verification to prevent
CSRF attacks (see http://jira.xwiki.org/jira/browse/XWIKI-4873).

The main idea is to add a random token as a parameter to each request
that requires edit/comment/admin rights and check that this token is
present on the server side. Since there are many ways one can modify
documents, it would require many changes all over the place, in particular:

* add a public method to XWikiContext:
      String getSecretToken()
  that generates a random token and caches it in the session
* add a public method to XWikiRightService*:
      boolean isRequestLegitimate(String action, XWikiContext context)
  to check if the given action is allowed to be executed
* add the following API methods to Context:
      String getSecretToken()
      boolean checkSecretToken()
  for including the secret token into forms/AJAX requests and checking
  that the current request is legitimate
* add a new configuration parameter core.useSecretTokenValidation for
  disabling this functionality, and the corresponding method
  useSecretTokenValidation() to CoreConfiguration and
  DefaultCoreConfiguration
* use the secret token (hidden input for forms or parameter of GET
  requests) in all templates (*.vm files in web/standard and skins,
  velocity macros in applications/**/resources/*.xml)
* check the secret token in Save/Delete/Upload/etc.-Actions and throw
  an exception to deny the access if the check fails
* check the secret token in all templates that directly modify data
  (e.g. web/standard/src/main/webapp/templates/admin.vm)
* fix all selenium tests that directly modify pages using the
  open(...) method
* make sure nothing else is broken

WDYT?


Thanks,
Alex


More information about the devs mailing list