OF-777 Close off CSRF issues

Note that audit-policy *is* covered, though appears not to be. Several of these will re-present the form without processing now.

OF-777 Close off CSRF issues
Note that audit-policy *is* covered, though appears not to be. Several of these will re-present the form without processing now.
38afc3ca · Dave Cridland · Guus der Kinderen · b91f85c9 · 38afc3ca · 38afc3ca
Commit 38afc3ca authored Dec 17, 2016 by Dave Cridland Committed by Guus der Kinderen Dec 19, 2016
7 changed files
--- a/src/plugins/clientControl/src/web/client-features.jsp
+++ b/src/plugins/clientControl/src/web/client-features.jsp
 <%@ page import="org.jivesoftware.openfire.plugin.spark.manager.FileTransferFilterManager" %>
 <%@ page import="org.jivesoftware.util.JiveGlobals"%>
+<%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.openfire.plugin.ClientControlPlugin" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
@@ -34,7 +37,17 @@
    String viewtasklistEnabledString = JiveGlobals.getProperty("viewtasklist.enabled", "true");

    boolean submit = request.getParameter("submit") != null;
-    
+
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+        submit = false;
+    }
+    csrfParam = StringUtils.randomString(16);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
+
    if (submit) {
 		accountsEnabledString = request.getParameter("accountsEnabled");
 		addcontactsEnabledString = request.getParameter("addcontactsEnabled");
@@ -149,6 +162,7 @@
 </p>

 <form name="f" action="client-features.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
 	<div style="display:inline-block;width:600px;margin:10px;">
 	    <table class="jive-table" cellspacing="0" width="600" >
 	        <th><fmt:message key="client.feature"/></th>

--- a/src/plugins/clientControl/src/web/permitted-clients.jsp
+++ b/src/plugins/clientControl/src/web/permitted-clients.jsp
@@ -2,6 +2,9 @@
 <%@ page import="java.util.ArrayList" %>
 <%@ page import="java.util.List" %>
 <%@ page import="java.util.StringTokenizer" %>
+<%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.openfire.plugin.ClientControlPlugin" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
@@ -73,6 +76,20 @@
    boolean submit = request.getParameter("submit") != null;
    boolean addOther = request.getParameter("addOther") != null;
    boolean remove = request.getParameter("removeClient") != null;
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (submit || addOther || remove) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            submit = false;
+            addOther = false;
+            remove = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(16);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
+

    if (submit) {
        String[] cls = request.getParameterValues("client");
@@ -267,7 +284,7 @@
                        <td valign="top" nowrap>
                            <div style="display: block; width: 205px;">
                                    <% } %>
-                            <label for="<%= client.getName() %>"><input type="checkbox" name="client" value="<%= client.getName() %>" id="<%= client.getName() %>" <%= clients.contains(client.getName()) ? "checked" : ""%> /> <img src="<%= client.getImage() %>" width="16" height="16" border="0" alt=""> <strong><%= client.getName() %></strong></label><span>(<a href="<%= client.getURL() %>" target="_blank"><fmt:message key="permitted.client.website"/></a>)</span><br>
+                            <label for="<%= StringUtils.escapeForXML(client.getName()) %>"><input type="checkbox" name="client" value="<%= StringUtils.escapeForXML(client.getName()) %>" id="<%= StringUtils.escapeForXML(client.getName()) %>" <%= clients.contains(client.getName()) ? "checked" : ""%> /> <img src="<%= client.getImage() %>" width="16" height="16" border="0" alt=""> <strong><%= StringUtils.escapeHTMLTags(client.getName()) %></strong></label><span>(<a href="<%= client.getURL() %>" target="_blank"><fmt:message key="permitted.client.website"/></a>)</span><br>
                                <% } %>
                            </div>
                        </td>
@@ -278,9 +295,9 @@

            <strong><fmt:message key="permitted.client.add.other.client" />:</strong>
            <a onmouseover="domTT_activate(this, event, 'content', '<fmt:message key="permitted.client.tooltip" />', 'trail', true, 'direction', 'northeast', 'width', '220');"><img src="images/icon_help_14x14.gif" align="texttop" /></a><br>
-			<input type="text" name="other" style="width: 160px;">&nbsp;<input type="submit" name="addOther" value="<fmt:message key="permitted.client.add" />"/><br>
+			<input type="text" name="other" style="width: 160px;">&nbsp;<input type="hidden" value="${csrf}" name="csrf"><input type="submit" name="addOther" value="<fmt:message key="permitted.client.add" />"/><br>
            <% for (String otherClient : otherClients) { %>
-                <%= otherClient%>&nbsp(<a href="permitted-clients.jsp?removeClient=<%=otherClient%>" name="removeClient" id="<%= otherClient %>"><fmt:message key="permitted.client.remove" /></a>)<br>
+                <%= otherClient%>&nbsp(<a href="permitted-clients.jsp?csrf=${csrf}&removeClient=<%=StringUtils.escapeForXML(otherClient)%>" name="removeClient" id="<%= StringUtils.escapeForXML(otherClient) %>"><fmt:message key="permitted.client.remove" /></a>)<br>
            <% } %>

            </div>

--- a/src/plugins/monitoring/src/web/archiving-settings.jsp
+++ b/src/plugins/monitoring/src/web/archiving-settings.jsp
@@ -4,6 +4,8 @@
 <%@ page import="org.jivesoftware.openfire.archive.ConversationManager, org.jivesoftware.util.ByteFormat, org.jivesoftware.util.ParamUtils" %>
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.util.StringUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.ParamUtils" %>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>

@@ -169,6 +171,16 @@
    int maxRetrievable = ParamUtils.getIntParameter(request, "maxRetrievable", conversationManager.getMaxRetrievable());
    
    boolean rebuildIndex = request.getParameter("rebuild") != null;
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+        rebuildIndex = false;
+        update = false;
+    }
+    csrfParam = StringUtils.randomString(16);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);

    if (request.getParameter("cancel") != null) {
        response.sendRedirect("archiving-settings.jsp");
@@ -257,6 +269,7 @@
 </p>

 <form action="archiving-settings.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
    <table class="settingsTable" cellpadding="3" cellspacing="0" border="0" width="90%">
        <thead>
            <tr>

--- a/src/web/audit-policy.jsp
+++ b/src/web/audit-policy.jsp
@@ -70,7 +70,7 @@
            errors.put("csrf", "CSRF Failure!");
        }
    }
-    csrfParam = StringUtils.randomString(15);
+    csrfParam = StringUtils.randomString(16);
    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
    pageContext.setAttribute("csrf", csrfParam);
    if (update) {

--- a/src/web/group-summary.jsp
+++ b/src/web/group-summary.jsp
@@ -41,6 +41,8 @@
 <%  // Get parameters
    int start = ParamUtils.getIntParameter(request,"start",0);
    int range = ParamUtils.getIntParameter(request,"range",webManager.getRowsPerPage("group-summary", 15));
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");

    if (request.getParameter("range") != null) {
        webManager.setRowsPerPage("group-summary", range);
@@ -53,19 +55,27 @@
    if (webManager.getGroupManager().isSearchSupported() && request.getParameter("search") != null
            && !request.getParameter("search").trim().equals(""))
    {
-        search = request.getParameter("search");
-        // Santize variables to prevent vulnerabilities
-        search = StringUtils.escapeHTMLTags(search);
-        // Use the search terms to get the list of groups and group count.
-        groups = webManager.getGroupManager().search(search, start, range);
-        // Get the count as a search for *all* groups. That will let us do pagination even
-        // though it's a bummer to execute the search twice.
-        groupCount = webManager.getGroupManager().search(search).size();
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+
+        } else {
+            search = request.getParameter("search");
+            // Santize variables to prevent vulnerabilities
+            search = StringUtils.escapeForXML(search);
+            // Use the search terms to get the list of groups and group count.
+            groups = webManager.getGroupManager().search(search, start, range);
+            // Get the count as a search for *all* groups. That will let us do pagination even
+            // though it's a bummer to execute the search twice.
+            groupCount = webManager.getGroupManager().search(search).size();
+        }
    }

    // paginator vars
    int numPages = (int)Math.ceil((double)groupCount/(double)range);
    int curPage = (start/range) + 1;
+    csrfParam = StringUtils.randomString(16);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
+
 %>

 <%  if (request.getParameter("deletesuccess") != null) { %>
@@ -98,6 +108,7 @@
        </td>
        <td align="right" valign="bottom">
   <fmt:message key="group.summary.search" />: <input type="text" size="30" maxlength="150" name="search" value="<%= ((search!=null) ? search : "") %>">
+   <input type="hidden" name="csrf" value="${csrf}">
        </td>
    </tr>
 </table>

--- a/src/web/logviewer.jsp
+++ b/src/web/logviewer.jsp
@@ -129,14 +129,19 @@
    boolean saveLog = ParamUtils.getBooleanParameter(request,"saveLog");
    boolean emailLog = ParamUtils.getBooleanParameter(request,"emailLog");
    boolean debugEnabled = ParamUtils.getBooleanParameter(request,"debugEnabled");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+

    // Enable/disable debugging
    if (request.getParameter("debugEnabled") != null && debugEnabled != Log.isDebugEnabled()) {
-    	JiveGlobals.setProperty(Log.LOG_DEBUG_ENABLED, String.valueOf(debugEnabled));
-        // Log the event
-        admin.logEvent((debugEnabled ? "enabled" : "disabled")+" debug logging", null);
-        response.sendRedirect("logviewer.jsp?log=debug");
-        return;
+        if (!(csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam))) {
+            JiveGlobals.setProperty(Log.LOG_DEBUG_ENABLED, String.valueOf(debugEnabled));
+            // Log the event
+            admin.logEvent((debugEnabled ? "enabled" : "disabled")+" debug logging", null);
+            response.sendRedirect("logviewer.jsp?log=debug");
+            return;
+        }
    }

    // Santize variables to prevent vulnerabilities
@@ -147,36 +152,40 @@
    User pageUser = admin.getUser();

    if (clearLog && log != null) {
-        if ("error".equals(log)) {
-            Log.rotateErrorLogFile();
-        }
-        else if ("warn".equals(log)) {
-            Log.rotateWarnLogFile();
-        }
-        else if ("info".equals(log)) {
-            Log.rotateInfoLogFile();
-        }
-        else if ("debug".equals(log)) {
-            Log.rotateDebugLogFile();
+        if (!(csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam))) {
+            if ("error".equals(log)) {
+                Log.rotateErrorLogFile();
+            }
+            else if ("warn".equals(log)) {
+                Log.rotateWarnLogFile();
+            }
+            else if ("info".equals(log)) {
+                Log.rotateInfoLogFile();
+            }
+            else if ("debug".equals(log)) {
+                Log.rotateDebugLogFile();
+            }
+            response.sendRedirect("logviewer.jsp?log=" + log);
+            return;
        }
-        response.sendRedirect("logviewer.jsp?log=" + log);
-        return;
    }
    else if (markLog && log != null) {
-        if ("error".equals(log)) {
-            Log.markErrorLogFile(pageUser.getUsername());
-        }
-        else if ("warn".equals(log)) {
-            Log.markWarnLogFile(pageUser.getUsername());
-        }
-        else if ("info".equals(log)) {
-            Log.markInfoLogFile(pageUser.getUsername());
-        }
-        else if ("debug".equals(log)) {
-            Log.markDebugLogFile(pageUser.getUsername());
+        if (!(csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam))) {
+            if ("error".equals(log)) {
+                Log.markErrorLogFile(pageUser.getUsername());
+            }
+            else if ("warn".equals(log)) {
+                Log.markWarnLogFile(pageUser.getUsername());
+            }
+            else if ("info".equals(log)) {
+                Log.markInfoLogFile(pageUser.getUsername());
+            }
+            else if ("debug".equals(log)) {
+                Log.markDebugLogFile(pageUser.getUsername());
+            }
+            response.sendRedirect("logviewer.jsp?log=" + log);
+            return;
        }
-        response.sendRedirect("logviewer.jsp?log=" + log);
-        return;
    }
    else if (saveLog && log != null) {
        saveLog = false;
@@ -206,6 +215,10 @@

    // Determine if any of the log files contents have been updated:
    HashMap newlogs = getLogUpdate(request, response, logDir);
+    csrfParam = StringUtils.randomString(16);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
+
 %>

 <html>
@@ -360,6 +373,7 @@ IFRAME {
                    <input type="hidden" name="markLog" value="false">
                    <input type="hidden" name="saveLog" value="false">
                    <input type="hidden" name="emailLog" value="false">
+                    <input type="hidden" name="csrf" value="${csrf}">
                    <div class="buttons">
                    <table cellpadding="0" cellspacing="0" border="0">
                    <tbody>

--- a/src/web/server-db-stats.jsp
+++ b/src/web/server-db-stats.jsp
@@ -25,7 +25,9 @@
 <%@ page import="org.jivesoftware.database.ProfiledConnection"%>
 <%@ page import="org.jivesoftware.database.ProfiledConnectionEntry"%>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
+<%@ page import="org.jivesoftware.util.CookieUtils"%>
 <%@ page import="org.jivesoftware.util.LocaleUtils"%>
+<%@ page import="org.jivesoftware.util.StringUtils"%>

 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
@@ -45,6 +47,17 @@
    String enableStats = ParamUtils.getParameter(request,"enableStats");
    int refresh = ParamUtils.getIntParameter(request,"refresh", -1);
    boolean doSortByTime = ParamUtils.getBooleanParameter(request,"doSortByTime");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+    boolean csrf_check = true;
+
+    if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+        csrf_check = false;
+        doClear = false;
+    }
+    csrfParam = StringUtils.randomString(16);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);

    // Var for the alternating colors
    int rowColor = 0;
@@ -56,16 +69,18 @@
        response.sendRedirect("server-db-stats.jsp");
    }

-    // Enable/disable stats
-    if ("true".equals(enableStats) && ! DbConnectionManager.isProfilingEnabled()) {
-        DbConnectionManager.setProfilingEnabled(true);
-        // Log the event
-        webManager.logEvent("enabled db profiling", null);
-    }
-    else if ("false".equals(enableStats) && DbConnectionManager.isProfilingEnabled()) {
-        DbConnectionManager.setProfilingEnabled(false);
-        // Log the event
-        webManager.logEvent("disabled db profiling", null);
+    if (csrf_check) {
+        // Enable/disable stats
+        if ("true".equals(enableStats) && ! DbConnectionManager.isProfilingEnabled()) {
+            DbConnectionManager.setProfilingEnabled(true);
+            // Log the event
+            webManager.logEvent("enabled db profiling", null);
+        }
+        else if ("false".equals(enableStats) && DbConnectionManager.isProfilingEnabled()) {
+            DbConnectionManager.setProfilingEnabled(false);
+            // Log the event
+            webManager.logEvent("disabled db profiling", null);
+        }
    }

    boolean showQueryStats = DbConnectionManager.isProfilingEnabled();