Re: [xwiki-devs] [xwiki-notifications] r31216 - in platform/xwiki-applications/trunk: administration/src/main/resources/XWiki blog/src/main/resources/Blog invitation/src/main/resources/Invitation officeimporter/src/main/resources/XWiki panels/src/main/resources/P
You just broke pretty much all applications for stable branch... On Wed, Sep 22, 2010 at 03:44, abusenius <[email protected]> wrote:
Author: abusenius Date: 2010-09-22 03:44:29 +0200 (Wed, 22 Sep 2010) New Revision: 31216
Modified: platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml Log: XWIKI-5463: Checking for CSRF tokens in applications
Modified: platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml =================================================================== --- platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -686,11 +686,16 @@ * @param $doAfterRegistration code block to run after registration completes successfully. *### #macro(createUser, $fields, $request, $response, $doAfterRegistration) - ## See if email verification is required and register the user. - #if($xwiki.getXWikiPreferenceAsInt('use_email_verification', 0) == 1) - #set($reg = $xwiki.createUser(true)) + ## CSRF check + #if(${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) + ## See if email verification is required and register the user. + #if($xwiki.getXWikiPreferenceAsInt('use_email_verification', 0) == 1) + #set($reg = $xwiki.createUser(true)) + #else + #set($reg = $xwiki.createUser(false)) + #end #else - #set($reg = $xwiki.createUser(false)) + $response.sendRedirect("$!{services.csrf.getResubmissionURL()}") #end ## ## Handle output from the registration.
Modified: platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml =================================================================== --- platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -397,7 +397,7 @@ #end #set($query = "${query}obj.name = doc.fullName and obj.className = '${blogCategoryClassname}' and doc.fullName <> 'Blog.CategoryTemplate' and doc.parent = ? order by doc.name") #foreach($item in $xwiki.searchDocuments($query, $parameterValues)) - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item)) + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) && $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #set($subcategoryDoc = $xwiki.getDocument($item)) $subcategoryDoc.setParent($categoryParent) $subcategoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedParent'), true) @@ -409,7 +409,7 @@ #end #set($query = "${query}obj.name = doc.fullName and obj.className = '${blogPostClassname}' and doc.fullName <> 'Blog.BlogPostTemplate' and categories.id.id = obj.id and categories.id.name = 'category' and category = ? order by doc.name") #foreach($item in $xwiki.searchDocuments($query, $parameterValues)) - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item)) + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) && $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #set($blogEntryDoc = $xwiki.getDocument($item)) #set($discard = $blogEntryDoc.getObject(${blogPostClassname}).getProperty('category').value.remove($category)) $blogEntryDoc.save($msg.get('xe.blog.manageCategories.comment.removedDeletedCategory'), true) @@ -433,7 +433,7 @@ #set($query = ', BaseObject obj where ') #set($query = "${query}obj.name = doc.fullName and obj.className = '${blogCategoryClassname}' and doc.fullName <> 'Blog.CategoryTemplate' and doc.parent = ? order by doc.name") #foreach($item in $xwiki.searchDocuments($query, $parameterValues)) - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item)) + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) && $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #set($subcategoryDoc = $xwiki.getDocument($item)) $subcategoryDoc.setParent($newCategoryDoc.fullName) $subcategoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedParent'), true) @@ -442,16 +442,18 @@ #set($query = ', BaseObject obj, DBStringListProperty categories join categories.list as category where ') #set($query = "${query}obj.name = doc.fullName and obj.className = '${blogPostClassname}' and doc.fullName <> 'Blog.BlogPostTemplate' and categories.id.id = obj.id and categories.id.name = 'category' and category = ? order by doc.name") #foreach($item in $xwiki.searchDocuments($query, $parameterValues)) - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item)) + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) && $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #set($blogEntryDoc = $xwiki.getDocument($item)) #set($discard = $blogEntryDoc.getObject(${blogPostClassname}).getProperty('category').value.remove($category)) #set($discard = $blogEntryDoc.getObject(${blogPostClassname}).getProperty('category').value.add($newCategoryDoc.fullName)) $blogEntryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedRenamedCategory'), true) #end #end - $categoryDoc.getObject('Blog.CategoryClass').set('name', $newCategoryName) - $categoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedCategory'), true) - $categoryDoc.rename($newCategoryName) + #if ($!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) + $categoryDoc.getObject('Blog.CategoryClass').set('name', $newCategoryName) + $categoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedCategory'), true) + $categoryDoc.rename($newCategoryName) + #end #end {{/velocity}}</content> </xwikidoc>
Modified: platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml =================================================================== --- platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -24,7 +24,7 @@ <syntaxId>xwiki/2.0</syntaxId> <hidden>true</hidden> <content>{{velocity filter="none"}} -#if($request.migrate) +#if($request.migrate && $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #set($newContent = '#includeForm("Blog.BlogPostSheet")') #set($query = ", BaseObject obj where obj.name = doc.fullName and obj.className = 'XWiki.ArticleClass'") #foreach($article in $xwiki.searchDocuments($query))
Modified: platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml =================================================================== --- platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -32,7 +32,7 @@ #end #set($entryName = "$!{request.entryName}") #if($entryName != '') - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $entryName)) + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $entryName) && $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #set($entryDoc = $xwiki.getDocument($entryName)) #if ($entryDoc) #getEntryObject($entryDoc $entryObj)
Modified: platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml =================================================================== --- platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -223,7 +223,7 @@ {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.accept.alreadyReportedAsSpam'){{/error}} #elseif($status != 'pending') {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.invalidStatus', ["#messageStatusForCode($status)"]){{/error}} - #else + #elseif($confirm && ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #if("#canGuestAcceptInvitation($doc)" != 'true') ## {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.accept.improperConfiguration'){{/error}} @@ -235,6 +235,9 @@ #set($invited = true) {{include document="XWiki.Registration"/}} #end + #else + ## CSRF protection + $response.sendRedirect("$!{services.csrf.getResubmissionURL()}") #end #elseif($action == 'decline') ## Decline Invitation <------------------------------------------------------------------------ @@ -261,7 +264,7 @@ {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.decline.alreadyReportedAsSpam'){{/error}} #elseif($status != 'pending') {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.invalidStatus', ["#messageStatusForCode($status)"]){{/error}} - #elseif($confirm) + #elseif($confirm && ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #setMessageStatus($message, 'declined', $memo)## $emailContainer.saveAsAuthor($msg.get('xe.invitation.doAction.decline.saveComment')) {{info}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.decline.success'){{/info}} @@ -280,7 +283,7 @@ #if("$!message" == '') ## No message found by that id. {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.reportSpam.noMessageFound'){{/error}} - #elseif($confirm) + #elseif($confirm && ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #setMessageStatus($message, 'reported', $memo)## $emailContainer.saveAsAuthor($msg.get('xe.invitation.doAction.reportSpam.reportSaveComment')) ## Your report has been logged, sorry for the inconvienence.
Modified: platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml =================================================================== --- platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -382,7 +382,7 @@ $msg.get('xe.invitation.doUserActionOnMultipleMessages.cancel.someMessagesNotFound', [$mathtool.sub($messageIDs.size(), $messages.size()), $messageIDs.size()]){{error}}))) #end - #elseif($confirm) + #elseif($confirm && ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) ## If the user accidently selected messages to which this action cannot be done, just skip over them. #set($changed = false) #foreach($message in $messages) @@ -435,7 +435,7 @@ $msg.get('xe.invitation.doUserActionOnMultipleMessages.noMessagesFound') #end {{/error}}))) - #elseif($confirm) + #elseif($confirm && ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) ## If the user accidently selected messages to which this action cannot be done, just skip over them. #set($changed = false) #foreach($message in $messages)
Modified: platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml =================================================================== --- platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -737,7 +737,9 @@ #set($messageBody = '') #end ## - #if("$!request.get('sendMail')" != '' && $request.getMethod().toLowerCase() == 'post') + #if("$!request.get('sendMail')" != '' + && $request.getMethod().toLowerCase() == 'post' + && ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #generateAndSendMail($config, $recipients, $subjectLine,
Modified: platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml =================================================================== --- platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -281,7 +281,7 @@ #set($msgRestart=$msg.get("xe.officeimporter.openoffice.actions.restart")) #set($msgUpdate=$msg.get("xe.officeimporter.openoffice.update")) #set($msgLimitedControl=$msg.get("xe.officeimporter.openoffice.limitedcontrol")) -#if($hasAdmin) +#if($hasAdmin && ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #set($currentAction = "$!{request.action}") #if($currentAction == "stop") #if(!$oomanager.stopServer())
Modified: platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml =================================================================== --- platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -547,7 +547,7 @@ #end ## Use the syntax and content received from the client, as the user might have made some changes that are not on saved yet. #set($void = $translatedDoc.setSyntaxId($oldSyntax)) - #if (!$translatedDoc.convertSyntax($newSyntaxId)) + #if (!$translatedDoc.convertSyntax($newSyntaxId) || !${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #set($error = true) #else #set($void = $translatedDoc.save("Document converted from syntax $oldSyntax to syntax $newSyntaxId"))
Modified: platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml =================================================================== --- platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -34,7 +34,7 @@ ## ## Check to see if the current user has admin rights on the current preferences document. ## -#if(!$xwiki.hasAccessLevel("admin", $xcontext.user, $prefsdocument)) +#if(!$xwiki.hasAccessLevel("admin", $xcontext.user, $prefsdocument) || !${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #xwikimessageboxstart("$msg.get('panelwizard.placemanager')" "") $msg.get("panelwizard.notadmininplace", $place) #xwikimessageboxend()
Modified: platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml =================================================================== --- platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -36,7 +36,9 @@ #set ($wiki = $WikiManager.getWikiFromDocumentName($doc.fullName)) ## #if ($action && ($action == "create") && $domain && ($domain.trim().length() > 0)) - #if (!$wiki.containsWikiAlias($domain)) + #if (!${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) + #error($msg.get("notallowed")) + #elseif (!$wiki.containsWikiAlias($domain)) #set ($alias = $wiki.newObject("XWiki.XWikiServerClass")) $alias.set("server", $domain) $alias.set("homepage", "Main.WebHome") @@ -47,7 +49,9 @@ #end ## #if ($action && ($action == "delete") && $domain && ($domain.trim().length() > 0)) - #if ($wiki.containsWikiAlias($domain)) + #if (!${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) + #error($msg.get("notallowed")) + #elseif ($wiki.containsWikiAlias($domain)) #set ($alias = $wiki.getWikiAlias($domain)) #set ($removed = $wiki.removeObject($alias.objectApi)) $wiki.save()
_______________________________________________ notifications mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/notifications
-- Thomas Mortagne
Plus you did major modifications without any related jira issue. Each application has its own jira project, XWIKI-5463 can't be used for a modification made on an application. On Thu, Sep 23, 2010 at 12:47, Thomas Mortagne <[email protected]> wrote:
You just broke pretty much all applications for stable branch...
On Wed, Sep 22, 2010 at 03:44, abusenius <[email protected]> wrote:
Author: abusenius Date: 2010-09-22 03:44:29 +0200 (Wed, 22 Sep 2010) New Revision: 31216
Modified: platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml Log: XWIKI-5463: Checking for CSRF tokens in applications
Modified: platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml =================================================================== --- platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/Registration.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -686,11 +686,16 @@ * @param $doAfterRegistration code block to run after registration completes successfully. *### #macro(createUser, $fields, $request, $response, $doAfterRegistration) - ## See if email verification is required and register the user. - #if($xwiki.getXWikiPreferenceAsInt('use_email_verification', 0) == 1) - #set($reg = $xwiki.createUser(true)) + ## CSRF check + #if(${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) + ## See if email verification is required and register the user. + #if($xwiki.getXWikiPreferenceAsInt('use_email_verification', 0) == 1) + #set($reg = $xwiki.createUser(true)) + #else + #set($reg = $xwiki.createUser(false)) + #end #else - #set($reg = $xwiki.createUser(false)) + $response.sendRedirect("$!{services.csrf.getResubmissionURL()}") #end ## ## Handle output from the registration.
Modified: platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml =================================================================== --- platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/blog/src/main/resources/Blog/CategoriesCode.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -397,7 +397,7 @@ #end #set($query = "${query}obj.name = doc.fullName and obj.className = '${blogCategoryClassname}' and doc.fullName <> 'Blog.CategoryTemplate' and doc.parent = ? order by doc.name") #foreach($item in $xwiki.searchDocuments($query, $parameterValues)) - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item)) + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) && $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #set($subcategoryDoc = $xwiki.getDocument($item)) $subcategoryDoc.setParent($categoryParent) $subcategoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedParent'), true) @@ -409,7 +409,7 @@ #end #set($query = "${query}obj.name = doc.fullName and obj.className = '${blogPostClassname}' and doc.fullName <> 'Blog.BlogPostTemplate' and categories.id.id = obj.id and categories.id.name = 'category' and category = ? order by doc.name") #foreach($item in $xwiki.searchDocuments($query, $parameterValues)) - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item)) + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) && $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #set($blogEntryDoc = $xwiki.getDocument($item)) #set($discard = $blogEntryDoc.getObject(${blogPostClassname}).getProperty('category').value.remove($category)) $blogEntryDoc.save($msg.get('xe.blog.manageCategories.comment.removedDeletedCategory'), true) @@ -433,7 +433,7 @@ #set($query = ', BaseObject obj where ') #set($query = "${query}obj.name = doc.fullName and obj.className = '${blogCategoryClassname}' and doc.fullName <> 'Blog.CategoryTemplate' and doc.parent = ? order by doc.name") #foreach($item in $xwiki.searchDocuments($query, $parameterValues)) - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item)) + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) && $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #set($subcategoryDoc = $xwiki.getDocument($item)) $subcategoryDoc.setParent($newCategoryDoc.fullName) $subcategoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedParent'), true) @@ -442,16 +442,18 @@ #set($query = ', BaseObject obj, DBStringListProperty categories join categories.list as category where ') #set($query = "${query}obj.name = doc.fullName and obj.className = '${blogPostClassname}' and doc.fullName <> 'Blog.BlogPostTemplate' and categories.id.id = obj.id and categories.id.name = 'category' and category = ? order by doc.name") #foreach($item in $xwiki.searchDocuments($query, $parameterValues)) - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item)) + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $item) && $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #set($blogEntryDoc = $xwiki.getDocument($item)) #set($discard = $blogEntryDoc.getObject(${blogPostClassname}).getProperty('category').value.remove($category)) #set($discard = $blogEntryDoc.getObject(${blogPostClassname}).getProperty('category').value.add($newCategoryDoc.fullName)) $blogEntryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedRenamedCategory'), true) #end #end - $categoryDoc.getObject('Blog.CategoryClass').set('name', $newCategoryName) - $categoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedCategory'), true) - $categoryDoc.rename($newCategoryName) + #if ($!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) + $categoryDoc.getObject('Blog.CategoryClass').set('name', $newCategoryName) + $categoryDoc.save($msg.get('xe.blog.manageCategories.comment.updatedCategory'), true) + $categoryDoc.rename($newCategoryName) + #end #end {{/velocity}}</content> </xwikidoc>
Modified: platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml =================================================================== --- platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Migration.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -24,7 +24,7 @@ <syntaxId>xwiki/2.0</syntaxId> <hidden>true</hidden> <content>{{velocity filter="none"}} -#if($request.migrate) +#if($request.migrate && $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #set($newContent = '#includeForm("Blog.BlogPostSheet")') #set($query = ", BaseObject obj where obj.name = doc.fullName and obj.className = 'XWiki.ArticleClass'") #foreach($article in $xwiki.searchDocuments($query))
Modified: platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml =================================================================== --- platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/blog/src/main/resources/Blog/Publisher.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -32,7 +32,7 @@ #end #set($entryName = "$!{request.entryName}") #if($entryName != '') - #if($xwiki.hasAccessLevel('edit', $xcontext.user, $entryName)) + #if($xwiki.hasAccessLevel('edit', $xcontext.user, $entryName) && $!{services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #set($entryDoc = $xwiki.getDocument($entryName)) #if ($entryDoc) #getEntryObject($entryDoc $entryObj)
Modified: platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml =================================================================== --- platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationGuestActions.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -223,7 +223,7 @@ {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.accept.alreadyReportedAsSpam'){{/error}} #elseif($status != 'pending') {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.invalidStatus', ["#messageStatusForCode($status)"]){{/error}} - #else + #elseif($confirm && ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #if("#canGuestAcceptInvitation($doc)" != 'true') ## {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.accept.improperConfiguration'){{/error}} @@ -235,6 +235,9 @@ #set($invited = true) {{include document="XWiki.Registration"/}} #end + #else + ## CSRF protection + $response.sendRedirect("$!{services.csrf.getResubmissionURL()}") #end #elseif($action == 'decline') ## Decline Invitation <------------------------------------------------------------------------ @@ -261,7 +264,7 @@ {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.decline.alreadyReportedAsSpam'){{/error}} #elseif($status != 'pending') {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.invalidStatus', ["#messageStatusForCode($status)"]){{/error}} - #elseif($confirm) + #elseif($confirm && ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #setMessageStatus($message, 'declined', $memo)## $emailContainer.saveAsAuthor($msg.get('xe.invitation.doAction.decline.saveComment')) {{info}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.decline.success'){{/info}} @@ -280,7 +283,7 @@ #if("$!message" == '') ## No message found by that id. {{error}}(%id="invitation-action-message"%)$msg.get('xe.invitation.doAction.reportSpam.noMessageFound'){{/error}} - #elseif($confirm) + #elseif($confirm && ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #setMessageStatus($message, 'reported', $memo)## $emailContainer.saveAsAuthor($msg.get('xe.invitation.doAction.reportSpam.reportSaveComment')) ## Your report has been logged, sorry for the inconvienence.
Modified: platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml =================================================================== --- platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/InvitationMemberActions.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -382,7 +382,7 @@ $msg.get('xe.invitation.doUserActionOnMultipleMessages.cancel.someMessagesNotFound', [$mathtool.sub($messageIDs.size(), $messages.size()), $messageIDs.size()]){{error}}))) #end - #elseif($confirm) + #elseif($confirm && ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) ## If the user accidently selected messages to which this action cannot be done, just skip over them. #set($changed = false) #foreach($message in $messages) @@ -435,7 +435,7 @@ $msg.get('xe.invitation.doUserActionOnMultipleMessages.noMessagesFound') #end {{/error}}))) - #elseif($confirm) + #elseif($confirm && ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) ## If the user accidently selected messages to which this action cannot be done, just skip over them. #set($changed = false) #foreach($message in $messages)
Modified: platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml =================================================================== --- platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/invitation/src/main/resources/Invitation/WebHome.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -737,7 +737,9 @@ #set($messageBody = '') #end ## - #if("$!request.get('sendMail')" != '' && $request.getMethod().toLowerCase() == 'post') + #if("$!request.get('sendMail')" != '' + && $request.getMethod().toLowerCase() == 'post' + && ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #generateAndSendMail($config, $recipients, $subjectLine,
Modified: platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml =================================================================== --- platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/officeimporter/src/main/resources/XWiki/OfficeImporterAdmin.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -281,7 +281,7 @@ #set($msgRestart=$msg.get("xe.officeimporter.openoffice.actions.restart")) #set($msgUpdate=$msg.get("xe.officeimporter.openoffice.update")) #set($msgLimitedControl=$msg.get("xe.officeimporter.openoffice.limitedcontrol")) -#if($hasAdmin) +#if($hasAdmin && ${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #set($currentAction = "$!{request.action}") #if($currentAction == "stop") #if(!$oomanager.stopServer())
Modified: platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml =================================================================== --- platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/panels/src/main/resources/Panels/DocumentInformation.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -547,7 +547,7 @@ #end ## Use the syntax and content received from the client, as the user might have made some changes that are not on saved yet. #set($void = $translatedDoc.setSyntaxId($oldSyntax)) - #if (!$translatedDoc.convertSyntax($newSyntaxId)) + #if (!$translatedDoc.convertSyntax($newSyntaxId) || !${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #set($error = true) #else #set($void = $translatedDoc.save("Document converted from syntax $oldSyntax to syntax $newSyntaxId"))
Modified: platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml =================================================================== --- platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/panels/src/main/resources/Panels/PanelLayoutUpdate.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -34,7 +34,7 @@ ## ## Check to see if the current user has admin rights on the current preferences document. ## -#if(!$xwiki.hasAccessLevel("admin", $xcontext.user, $prefsdocument)) +#if(!$xwiki.hasAccessLevel("admin", $xcontext.user, $prefsdocument) || !${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) #xwikimessageboxstart("$msg.get('panelwizard.placemanager')" "") $msg.get("panelwizard.notadmininplace", $place) #xwikimessageboxend()
Modified: platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml =================================================================== --- platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml 2010-09-22 01:44:21 UTC (rev 31215) +++ platform/xwiki-applications/trunk/wiki-manager/src/main/resources/XWiki/XWikiServerClassSheet.xml 2010-09-22 01:44:29 UTC (rev 31216) @@ -36,7 +36,9 @@ #set ($wiki = $WikiManager.getWikiFromDocumentName($doc.fullName)) ## #if ($action && ($action == "create") && $domain && ($domain.trim().length() > 0)) - #if (!$wiki.containsWikiAlias($domain)) + #if (!${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) + #error($msg.get("notallowed")) + #elseif (!$wiki.containsWikiAlias($domain)) #set ($alias = $wiki.newObject("XWiki.XWikiServerClass")) $alias.set("server", $domain) $alias.set("homepage", "Main.WebHome") @@ -47,7 +49,9 @@ #end ## #if ($action && ($action == "delete") && $domain && ($domain.trim().length() > 0)) - #if ($wiki.containsWikiAlias($domain)) + #if (!${services.csrf.isTokenValid("$!{request.getParameter('form_token')}")}) + #error($msg.get("notallowed")) + #elseif ($wiki.containsWikiAlias($domain)) #set ($alias = $wiki.getWikiAlias($domain)) #set ($removed = $wiki.removeObject($alias.objectApi)) $wiki.save()
_______________________________________________ notifications mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/notifications
-- Thomas Mortagne
-- Thomas Mortagne
participants (1)
-
Thomas Mortagne