Merge pull request #570 from surevine/dwd/of-836

OF-836 / OF-941 / OF-777

src/java/org/jivesoftware/util/CookieUtils.java

@@ -126,6 +126,7 @@ public class CookieUtils {
         Cookie cookie = new Cookie(name, value);
         cookie.setMaxAge(maxAge);
         cookie.setPath(path);
+        cookie.setHttpOnly(true);
         response.addCookie(cookie);
     }
 }

src/web/audit-policy.jsp

@@ -17,6 +17,7 @@
 --%>
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.CookieUtils,
                  org.jivesoftware.openfire.XMPPServer,
                  org.jivesoftware.openfire.audit.AuditManager,
                  org.jivesoftware.openfire.user.UserNotFoundException,
@@ -60,6 +61,18 @@
     AuditManager auditManager = XMPPServer.getInstance().getAuditManager();
 
     Map<String,String> errors = new HashMap<String,String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (update) {
         auditManager.setEnabled(auditEnabled);
         auditManager.setAuditMessage(auditMessages);
@@ -187,6 +200,7 @@
 
 <!-- BEGIN 'Set Message Audit Policy' -->
 <form action="audit-policy.jsp" name="f">
+    <input type="hidden" name="csrf" value="${csrf}">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="audit.policy.policytitle" />
 	</div>
@@ -245,7 +259,7 @@
 						</td>
 						<td width="99%">
 							<input type="text" size="15" maxlength="50" name="maxTotalSize"
-							 value="<%= ((maxTotalSize != null) ? maxTotalSize : "") %>">
+							 value="<%= ((maxTotalSize != null) ? StringUtils.escapeForXML(maxTotalSize) : "") %>">
 
 						<%  if (errors.get("maxTotalSize") != null) { %>
 
@@ -263,7 +277,7 @@
 						</td>
 						<td width="99%">
 							<input type="text" size="15" maxlength="50" name="maxFileSize"
-							 value="<%= ((maxFileSize != null) ? maxFileSize : "") %>">
+							 value="<%= ((maxFileSize != null) ? StringUtils.escapeForXML(maxFileSize) : "") %>">
 
 						<%  if (errors.get("maxFileSize") != null) { %>
 
@@ -281,7 +295,7 @@
 						</td>
 						<td width="99%">
 							<input type="text" size="15" maxlength="50" name="maxDays"
-							 value="<%= ((maxDays != null) ? maxDays : "") %>">
+							 value="<%= ((maxDays != null) ? StringUtils.escapeForXML(maxDays) : "") %>">
 
 							<%  if (errors.get("maxDays") != null) { %>
 
@@ -299,7 +313,7 @@
 						</td>
 						<td width="99%">
 							<input type="text" size="15" maxlength="50" name="logTimeout"
-							 value="<%= ((logTimeout != null) ? logTimeout : "") %>">
+							 value="<%= ((logTimeout != null) ? StringUtils.escapeForXML(logTimeout) : "") %>">
 
 						<%  if (errors.get("logTimeout") != null) { %>
 

src/web/available-plugins.jsp

@@ -28,6 +28,9 @@
 <%@ page import="java.util.Comparator" %>
 <%@ page import="java.util.List" %>
 <%@ page import="org.jivesoftware.util.JiveGlobals"%>
+<%@ page import="org.jivesoftware.util.StringUtils"%>
+<%@ page import="org.jivesoftware.util.ParamUtils"%>
+<%@ page import="org.jivesoftware.util.CookieUtils"%>
 <%@ page import="java.util.Date"%>
 
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
@@ -39,6 +42,17 @@
 <%
     boolean downloadRequested = request.getParameter("download") != null;
     String url = request.getParameter("url");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (downloadRequested) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            downloadRequested = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     UpdateManager updateManager = XMPPServer.getInstance().getUpdateManager();
     List<AvailablePlugin> plugins = updateManager.getNotInstalledPlugins();

src/web/chatroom-history-settings.jsp

@@ -57,6 +57,18 @@
     HistoryStrategy historyStrat = muc.getHistoryStrategy();
 
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (update) {
         if (policy != ALL && policy != NONE && policy != NUMBER) {
             errors.put("general", "Please choose a valid chat history policy.");
@@ -116,6 +128,7 @@
 </p>
 
 <form action="chatroom-history-settings.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
 
 <fieldset>
     <legend><fmt:message key="chatroom.history.settings.policy" /></legend>

src/web/compression-settings.jsp

@@ -24,6 +24,8 @@
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
@@ -43,6 +45,17 @@
     boolean serverEnabled = ParamUtils.getBooleanParameter(request, "serverEnabled");
 
     final ConnectionManagerImpl connectionManager = (ConnectionManagerImpl) XMPPServer.getInstance().getConnectionManager();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     if (update) {
         // Update c2s compression policy
@@ -86,6 +99,7 @@
 
 <!-- BEGIN compression settings -->
 <form action="compression-settings.jsp">
+    <input type="hidden" name="csrf" value="${csrf}">
 
 	<div class="jive-contentBox" style="-moz-border-radius: 3px;">
 

src/web/connection-managers-settings.jsp

@@ -27,6 +27,7 @@
                  org.jivesoftware.openfire.multiplex.ConnectionMultiplexerManager,
                  org.jivesoftware.openfire.session.ConnectionMultiplexerSession,
                  org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.CookieUtils,
                  org.jivesoftware.util.StringUtils"
     errorPage="error.jsp"
 %>
@@ -58,6 +59,18 @@
 
     // Update the session kick policy if requested
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (update) {
         // Validate params
         if (managerEnabled) {
@@ -167,6 +180,7 @@
 <%  } %>
 
 <form action="connection-managers-settings.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
 
 <fieldset>
     <div>

src/web/connection-settings-advanced.jsp

 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.jivesoftware.openfire.Connection" %>
 <%@ page import="org.jivesoftware.openfire.spi.*" %>
 <%@ page import="java.util.*" %>
@@ -12,9 +14,21 @@
 <jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager"  />
 <% webManager.init(request, response, session, application, out ); %>
 <%
-    final boolean update = request.getParameter( "update" ) != null;
+    boolean update = request.getParameter( "update" ) != null;
 
     final Map<String, String> errors = new HashMap<>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     pageContext.setAttribute( "errors", errors );
 
     ConnectionType connectionType = null;
@@ -281,6 +295,7 @@
 </p>
 
 <form action="connection-settings-advanced.jsp?connectionType=${connectionType}&connectionMode=${connectionMode}" onsubmit="selectAllOptions('cipherSuitesEnabled')" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
     <input type="hidden" name="update" value="true" />
 
     <fmt:message key="connection.advanced.settings.tcp.boxtitle" var="tcpboxtitle"/>

src/web/connection-settings-external-components.jsp

@@ -8,6 +8,10 @@
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
 <%@ page import="org.jivesoftware.util.ModificationNotAllowedException" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
+<%@ page import="org.xmpp.packet.JID" %>
+<%@ page import="gnu.inet.encoding.StringprepException" %>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
 <%@ page errorPage="error.jsp" %>
@@ -26,8 +30,29 @@
     final ConnectionConfiguration legacymodeConfiguration = manager.getListener( connectionType, true  ).generateConnectionConfiguration();
 
     final Map<String, String> errors = new HashMap<>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    boolean update = request.getParameter( "update" ) != null;
+    boolean permissionUpdate = request.getParameter( "permissionUpdate" ) != null;
+    String configToDelete = ParamUtils.getParameter( request, "deleteConf" );
+    boolean componentAllowed = request.getParameter( "componentAllowed" ) != null;
+    boolean componentBlocked = request.getParameter( "componentBlocked" ) != null;
+
+    if (update || permissionUpdate || configToDelete != null || componentAllowed || componentBlocked) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            permissionUpdate = false;
+            configToDelete = null;
+            componentAllowed = false;
+            componentBlocked = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
-    final boolean update = request.getParameter( "update" ) != null;
 
     if ( update && errors.isEmpty() )
     {
@@ -55,7 +80,6 @@
     }
 
     // Process Permission update configuration change.
-    final boolean permissionUpdate = request.getParameter( "permissionUpdate" ) != null;
 
     if ( permissionUpdate && errors.isEmpty() )
     {
@@ -85,7 +109,6 @@
     }
 
     // Process removal of a blacklist or whitelist item.
-    final String configToDelete = ParamUtils.getParameter( request, "deleteConf" );
 
     if ( configToDelete != null && !configToDelete.trim().isEmpty() && errors.isEmpty() )
     {
@@ -105,12 +128,17 @@
     }
 
     // Process addition to whitelist.
-    final boolean componentAllowed = request.getParameter( "componentAllowed" ) != null;
     String subdomain = ParamUtils.getParameter( request, "subdomain" ); // shared with blacklist.
     if ( subdomain != null )
     {
+        subdomain = subdomain.trim();
+        try {
+            subdomain = JID.domainprep(subdomain);
             // Remove the hostname if the user is not sending just the subdomain.
             subdomain = subdomain.replace( "." + XMPPServer.getInstance().getServerInfo().getXMPPDomain(), "" );
+        } catch (Exception e) {
+            errors.put("subdomain", e.getMessage());
+        }
     }
     if ( componentAllowed && errors.isEmpty() )
     {
@@ -147,7 +175,6 @@
     }
 
     // Process addition to blacklist.
-    final boolean componentBlocked = request.getParameter( "componentBlocked" ) != null;
 
     if ( componentBlocked && errors.isEmpty() )
     {
@@ -259,6 +286,7 @@
 </p>
 
 <form action="connection-settings-external-components.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
 
     <fmt:message key="component.settings.plaintext.boxtitle" var="plaintextboxtitle"/>
     <admin:contentBox title="${plaintextboxtitle}">
@@ -307,6 +335,7 @@
 <fmt:message key="component.settings.allowed" var="allowedTitle" />
 <admin:contentBox title="${allowedTitle}">
     <form action="connection-settings-external-components.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
         <table cellpadding="3" cellspacing="0" border="0" width="100%" >
             <tr valign="top">
                 <td colspan="2">
@@ -364,7 +393,11 @@
                         <td><c:out value="${component.subdomain}"/></td>
                         <td><c:out value="${component.secret}"/></td>
                         <td align="center" style="border-right:1px #ccc solid;">
-                            <a href="#" onclick="if (confirm('<fmt:message key="component.settings.confirm_delete" />')) { location.replace('connection-settings-external-components.jsp?deleteConf=${component.subdomain}'); } "
+                            <c:url var="deleteurl" value="connection-settings-external-components.jsp">
+                                <c:param name="deleteConf" value="${component.subdomain}"/>
+                                <c:param name="csrf" value="${csrf}"/>
+                            </c:url>
+                            <a href="#" onclick="if (confirm('<fmt:message key="component.settings.confirm_delete" />')) { location.replace('${deleteurl}'); } "
                                title="<fmt:message key="global.click_delete" />"><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
                         </td>
                     </tr>
@@ -376,6 +409,7 @@
     <br/>
 
     <form action="connection-settings-external-components.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
         <table cellpadding="3" cellspacing="1" border="0">
             <tr>
                 <td nowrap width="1%">
@@ -423,7 +457,11 @@
                         <td>${ status.index + 1}</td>
                         <td><c:out value="${component.subdomain}"/></td>
                         <td align="center" style="border-right:1px #ccc solid;">
-                            <a href="#" onclick="if (confirm('<fmt:message key="component.settings.confirm_delete" />')) { location.replace('connection-settings-external-components.jsp?deleteConf=${component.subdomain}'); } "
+                            <c:url var="deleteurl" value="connection-settings-external-components.jsp">
+                                <c:param name="deleteConf" value="${component.subdomain}"/>
+                                <c:param name="csrf" value="${csrf}"/>
+                            </c:url>
+                            <a href="#" onclick="if (confirm('<fmt:message key="component.settings.confirm_delete" />')) { location.replace('${deleteurl}'); } "
                                title="<fmt:message key="global.click_delete" />"><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
                         </td>
                     </tr>
@@ -435,6 +473,7 @@
     <br/>
 
     <form action="connection-settings-external-components.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
         <table cellpadding="3" cellspacing="1" border="0">
             <tr>
                 <td nowrap width="1%">

src/web/connection-settings-socket-c2s.jsp

@@ -4,6 +4,8 @@
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionListener" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.jivesoftware.util.JiveGlobals" %>
 <%@ page import="org.jivesoftware.openfire.session.ConnectionSettings" %>
 <%@ page import="java.util.HashMap" %>
@@ -22,8 +24,20 @@
     final ConnectionConfiguration plaintextConfiguration  = manager.getListener( connectionType, false ).generateConnectionConfiguration();
     final ConnectionConfiguration legacymodeConfiguration = manager.getListener( connectionType, true  ).generateConnectionConfiguration();
 
-    final boolean update = request.getParameter( "update" ) != null;
+    boolean update = request.getParameter( "update" ) != null;
     final Map<String, String> errors = new HashMap<>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     if ( update && errors.isEmpty() )
     {
@@ -126,6 +140,7 @@
 </p>
 
 <form action="connection-settings-socket-c2s.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
 
     <fmt:message key="ssl.settings.client.plaintext.boxtitle" var="plaintextboxtitle"/>
     <admin:contentBox title="${plaintextboxtitle}">

src/web/connection-settings-socket-s2s.jsp

@@ -4,6 +4,7 @@
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionListener" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
 <%@ page import="org.jivesoftware.openfire.server.RemoteServerManager" %>
@@ -22,13 +23,29 @@
 
     final ConnectionConfiguration plaintextConfiguration  = manager.getListener( connectionType, false ).generateConnectionConfiguration();
 
-    final boolean update = request.getParameter( "update" ) != null;
-    final boolean closeSettings = request.getParameter( "closeSettings" ) != null;
-    final boolean serverAllowed = request.getParameter( "serverAllowed" ) != null;
-    final boolean serverBlocked = request.getParameter( "serverBlocked" ) != null;
-    final String configToDelete = ParamUtils.getParameter( request, "deleteConf" );
+    boolean update = request.getParameter( "update" ) != null;
+    boolean closeSettings = request.getParameter( "closeSettings" ) != null;
+    boolean serverAllowed = request.getParameter( "serverAllowed" ) != null;
+    boolean serverBlocked = request.getParameter( "serverBlocked" ) != null;
+    String configToDelete = ParamUtils.getParameter( request, "deleteConf" );
 
     final Map<String, String> errors = new HashMap<>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update || closeSettings || serverAllowed || serverBlocked || configToDelete != null) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            closeSettings = false;
+            serverAllowed = false;
+            serverBlocked = false;
+            configToDelete = null;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     if ( update && errors.isEmpty() )
     {
@@ -262,6 +279,7 @@
 </p>
 
 <form action="connection-settings-socket-s2s.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
 
     <fmt:message key="server2server.settings.boxtitle" var="boxtitle"/>
     <admin:contentBox title="${boxtitle}">
@@ -290,6 +308,7 @@
 
 <!-- BEGIN 'Idle Connection Settings' -->
 <form action="connection-settings-socket-s2s.jsp?closeSettings" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
     <fmt:message key="server2server.settings.close_settings" var="idleTitle"/>
     <admin:contentBox title="${idleTitle}">
         <table cellpadding="3" cellspacing="0" border="0">
@@ -329,6 +348,7 @@
 <fmt:message key="server2server.settings.allowed" var="allowedTitle"/>
 <admin:contentBox title="${allowedTitle}">
     <form action="connection-settings-socket-s2s.jsp" method="post">
+        <input type="hidden" name="csrf" value="${csrf}">
         <table cellpadding="3" cellspacing="0" border="0">
             <tr valign="top">
                 <td width="1%" nowrap>
@@ -357,6 +377,7 @@
     </form>
 
     <form action="connection-settings-socket-s2s.jsp" method="post">
+        <input type="hidden" name="csrf" value="${csrf}">
         <table class="jive-table" cellpadding="0" cellspacing="0" border="0" width="100%">
             <tr>
                 <th width="1%">&nbsp;</th>
@@ -377,7 +398,11 @@
                             <td><c:out value="${server.domain}"/></td>
                             <td><c:out value="${server.remotePort}"/></td>
                             <td align="center" style="border-right:1px #ccc solid;">
-                                <a href="#" onclick="if (confirm('<fmt:message key="server2server.settings.confirm_delete" />')) { location.replace('connection-settings-socket-s2s.jsp?deleteConf=${server.domain}'); } "
+                                <c:url var="deleteurl" value="connection-settings-socket-s2s.jsp">
+                                    <c:param name="deleteConf" value="${server.domain}"/>
+                                    <c:param name="csrf" value="${csrf}"/>
+                                </c:url>
+                                <a href="#" onclick="if (confirm('<fmt:message key="server2server.settings.confirm_delete" />')) { location.replace('${deleteurl}'); } "
                                    title="<fmt:message key="global.click_delete" />"
                                         ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
                             </td>
@@ -429,7 +454,11 @@
                         <td>${ status.index + 1}</td>
                         <td><c:out value="${server.domain}"/></td>
                         <td align="center" style="border-right:1px #ccc solid;">
-                            <a href="#" onclick="if (confirm('<fmt:message key="server2server.settings.confirm_delete" />')) { location.replace('connection-settings-socket-s2s.jsp?deleteConf=${server.domain}'); } "
+                                <c:url var="deleteurl" value="connection-settings-socket-s2s.jsp">
+                                    <c:param name="deleteConf" value="${server.domain}"/>
+                                    <c:param name="csrf" value="${csrf}"/>
+                                </c:url>
+                            <a href="#" onclick="if (confirm('<fmt:message key="server2server.settings.confirm_delete" />')) { location.replace('${deleteurl}'); } "
                                title="<fmt:message key="global.click_delete" />"
                                     ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
                         </td>
@@ -440,6 +469,7 @@
     </table>
     <br>
     <form action="connection-settings-socket-s2s.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
         <table cellpadding="3" cellspacing="1" border="0" width="100%">
             <tr>
                 <td nowrap width="1%">

src/web/file-transfer-proxy.jsp

@@ -17,6 +17,8 @@
   - limitations under the License.
 --%>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.jivesoftware.openfire.filetransfer.proxy.FileTransferProxy" %>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
@@ -35,6 +37,18 @@
     boolean isUpdated = request.getParameter("update") != null;
     boolean isProxyEnabled = ParamUtils.getBooleanParameter(request, "proxyEnabled");
     int port = ParamUtils.getIntParameter(request, "port", 0);
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (isUpdated) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            isUpdated = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     if (isUpdated) {
         if (isProxyEnabled) {
@@ -114,6 +128,7 @@ else { %>
 
 <!-- BEGIN 'Proxy Service' -->
 <form action="file-transfer-proxy.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="filetransferproxy.settings.enabled.legend"/>
 	</div>

src/web/group-create.jsp

@@ -25,6 +25,7 @@
     errorPage="error.jsp"
 %>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
+<%@ page import="org.jivesoftware.util.CookieUtils"%>
 <%@ page import="java.net.URLEncoder"%>
 <%@ page import="java.util.HashMap"%>
 <%@ page import="java.util.Map" %>
@@ -45,6 +46,19 @@
     String description = ParamUtils.getParameter(request, "description", true);
     
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (create || edit) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            create = false;
+            edit = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Handle a cancel
     if (cancel) {
@@ -187,6 +201,7 @@
 </p>
 
 <form name="f" action="group-create.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
 
    <% if (groupName != null) { %>
     <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>" id="existingName">

src/web/group-delete.jsp

@@ -35,6 +35,17 @@
     boolean cancel = request.getParameter("cancel") != null;
     boolean delete = request.getParameter("delete") != null;
     String groupName = ParamUtils.getParameter(request,"group");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            delete = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Handle a cancel
     if (cancel) {
@@ -81,6 +92,7 @@
 </p>
 
 <form action="group-delete.jsp">
+    <input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
 <input type="submit" name="delete" value="<fmt:message key="group.delete.delete" />">
 <input type="submit" name="cancel" value="<fmt:message key="global.cancel" />">

src/web/group-edit.jsp

@@ -30,6 +30,7 @@
 <%@ page import="org.jivesoftware.util.Log"%>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
 <%@ page import="org.jivesoftware.util.StringUtils"%>
+<%@ page import="org.jivesoftware.util.CookieUtils"%>
 <%@ page import="org.xmpp.packet.JID"%>
 <%@ page import="org.xmpp.packet.Presence"%>
 <%@ page import="java.io.UnsupportedEncodingException"%>
@@ -71,6 +72,21 @@
     Group group = groupManager.getGroup(groupName);
     boolean success;
     StringBuffer errorBuf = new StringBuffer();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (add || delete || updateMember || update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            add = false;
+            delete = false;
+            update = false;
+            updateMember = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     if (cancel) {
         response.sendRedirect("group-summary.jsp");
@@ -325,6 +341,8 @@
 	<div class="jive-horizontalRule"></div>
 
 <form name="ff" action="group-edit.jsp">
+    <input type="hidden" name="csrf" value="${csrf}">
+
 <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>"/>
 
 
@@ -478,6 +496,7 @@
 		</p>
 
         <form action="group-edit.jsp" method="post" name="f">
+            <input type="hidden" name="csrf" value="${csrf}">
         <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
         <input type="hidden" name="add" value="Add"/>
         <table cellpadding="3" cellspacing="1" border="0" style="margin: 0 0 8px 0;">
@@ -496,6 +515,7 @@
         <% } %>
 
         <form action="group-edit.jsp" method="post" name="main">
+    <input type="hidden" name="csrf" value="${csrf}">
         <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
         <table class="jive-table" cellpadding="3" cellspacing="0" border="0" width="435">
             <tr>

src/web/http-bind.jsp

@@ -22,7 +22,7 @@
 <%@ page import="java.util.Map" %>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="org.jivesoftware.util.Log" %>
-<%@ page import="org.jivesoftware.util.StringUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
 <%@ page import="org.jivesoftware.openfire.http.FlashCrossDomainServlet" %>
 <%@ page import="org.jivesoftware.openfire.http.HttpBindManager" %>
 <%@ page contentType="text/html;charset=UTF-8" language="java" %>
@@ -83,12 +83,21 @@
 
 <%
     Map<String, String> errorMap = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
     if (request.getParameter("update") != null) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            errorMap.put("csrf", "CSRF Failure!");
+        } else {
             errorMap = handleUpdate(request);
             // Log the event
             webManager.logEvent("updated HTTP bind settings", null);
         }
+    }
 
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     boolean isHttpBindEnabled = serverManager.isHttpBindEnabled();
     int port = serverManager.getHttpBindUnsecurePort();
     int securePort = serverManager.getHttpBindSecurePort();
@@ -148,6 +157,7 @@
 } %>
 
 <form action="http-bind.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
 
     <div class="jive-contentBox" style="-moz-border-radius: 3px;">
         <table cellpadding="3" cellspacing="0" border="0">

src/web/import-keystore-certificate.jsp

@@ -3,6 +3,8 @@
 <%@ page import="org.jivesoftware.openfire.keystore.IdentityStore" %>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
 
@@ -14,7 +16,7 @@
 <% webManager.init(request, response, session, application, out ); %>
 
 <% // Get parameters:
-    final boolean save            = ParamUtils.getParameter(request, "save") != null;
+    boolean save            = ParamUtils.getParameter(request, "save") != null;
     final String privateKey       = ParamUtils.getParameter(request, "privateKey");
     final String passPhrase       = ParamUtils.getParameter(request, "passPhrase");
     final String certificate      = ParamUtils.getParameter(request, "certificate");
@@ -30,6 +32,18 @@
         errors.put( "connectionType", ex.getMessage() );
         connectionType = null;
     }
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     if (save) {
         if (privateKey == null || privateKey.trim().isEmpty() ) {
@@ -107,6 +121,7 @@
 
 <!-- BEGIN 'Import Private Key and Certificate' -->
 <form action="import-keystore-certificate.jsp?connectionType=${connectionType}" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
 
     <c:set var="title"><fmt:message key="ssl.import.certificate.keystore.private-key.title"/></c:set>
     <admin:contentBox title="${title}">
@@ -117,7 +132,7 @@
                     <label for="passPhrase"><fmt:message key="ssl.import.certificate.keystore.pass-phrase" /></label>
                 </td>
                 <td width="99%">
-                    <input type="text" size="60" maxlength="200" name="passPhrase" id="passPhrase" value="${param.passPhrase}">
+                    <input type="text" size="60" maxlength="200" name="passPhrase" id="passPhrase" value="<c:out value="${param.passPhrase}"/>">
                 </td>
             </tr>
             <tr valign="top">

src/web/import-truststore-certificate.jsp

@@ -2,6 +2,8 @@
 <%@ page import="org.jivesoftware.openfire.keystore.TrustStore"%>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType"%>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
+<%@ page import="org.jivesoftware.util.CookieUtils"%>
+<%@ page import="org.jivesoftware.util.StringUtils"%>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
@@ -14,12 +16,24 @@
 <jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager"/>
 <%  webManager.init(request, response, session, application, out ); %>
 
-<%  final boolean save             = ParamUtils.getParameter(request, "save") != null;
+<%  boolean save             = ParamUtils.getParameter(request, "save") != null;
     final String alias             = ParamUtils.getParameter(request, "alias");
     final String certificate       = ParamUtils.getParameter(request, "certificate");
     final String storePurposeText  = ParamUtils.getParameter(request, "connectionType");
 
     final Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     ConnectionType connectionType;
     try

src/web/login.jsp

@@ -86,7 +86,21 @@
 
     Map<String, String> errors = new HashMap<String, String>();
 
-    if (ParamUtils.getBooleanParameter(request, "login")) {
+    Boolean login = ParamUtils.getBooleanParameter(request, "login");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (login) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            login = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
+
+    if (login) {
         String loginUsername = username;
         if (loginUsername != null) {
             loginUsername = JID.escapeNode(loginUsername);
@@ -182,6 +196,7 @@
 <%  } catch (Exception e) { Log.error(e); } } %>
 
 <input type="hidden" name="login" value="true">
+<input type="hidden" name="csrf" value="${csrf}">
 
 <div align="center">
     <!-- BEGIN login box -->

src/web/manage-updates.jsp

@@ -24,6 +24,7 @@
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
                  org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                  org.jivesoftware.openfire.XMPPServer,
                  org.jivesoftware.openfire.update.UpdateManager,
                  java.util.HashMap,
@@ -54,6 +55,18 @@
 
     // Update the session kick policy if requested
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (update) {
 
         // Validate params
@@ -130,6 +143,7 @@ else if (updateSucess) { %>
 
 <!-- BEGIN manage updates settings -->
 <form action="manage-updates.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
 	<!--<div class="jive-contentBoxHeader">
 
 	</div>-->

src/web/media-proxy.jsp

@@ -20,6 +20,7 @@
 
 <%@ page import="org.jivesoftware.util.JiveGlobals" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
 <%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.openfire.mediaproxy.MediaProxyService" %>
@@ -37,10 +38,6 @@
     MediaProxyService mediaProxyService = XMPPServer.getInstance().getMediaProxyService();
 
     boolean stop = request.getParameter("stop") != null;
-    if (stop) {
-        mediaProxyService.stopAgents();
-    }
-
     boolean save = request.getParameter("update") != null;
     boolean success = false;
 
@@ -50,6 +47,22 @@
     int maxPort = mediaProxyService.getMaxPort();
     int echoPort = mediaProxyService.getEchoPort();
     boolean enabled = mediaProxyService.isEnabled();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save || stop) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            stop = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
+
+    if (stop) {
+        mediaProxyService.stopAgents();
+    }
 
     if (save) {
         keepAliveDelay = ParamUtils.getLongParameter(request, "idleTimeout", keepAliveDelay);
@@ -128,6 +141,7 @@
 <% } %>
 
 <form action="media-proxy.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
     <div class="jive-contentBoxHeader">
         <fmt:message key="mediaproxy.form.label"/>
     </div>
@@ -322,6 +336,7 @@
         </tbody>
     </table>
     <form action="">
+        <input type="hidden" name="csrf" value="${csrf}">
         <input type="submit" name="stop" value="<fmt:message key="mediaproxy.summary.stopbutton" />"/>
     </form>
 </div>

src/web/muc-create-permission.jsp

@@ -52,6 +52,19 @@
         return;
     }
 
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save || add || delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            add = false;
+            delete = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     // Get muc server
     MultiUserChatService mucService = webManager.getMultiUserChatManager().getMultiUserChatService(mucname);
 
@@ -192,6 +205,7 @@
 
 <!-- BEGIN 'Permission Policy' -->
 <form action="muc-create-permission.jsp?save" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
     <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="muc.create.permission.policy" />
@@ -231,6 +245,7 @@
 <%  if (mucService.isRoomCreationRestricted()) { %>
 <!-- BEGIN 'Allowed Users' -->
 <form action="muc-create-permission.jsp?add" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
     <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="muc.create.permission.allowed_users" />
@@ -288,7 +303,7 @@
 						  <%= jidDisplay %></a>
 						</td>
 						<td width="1%" align="center">
-							<a href="muc-create-permission.jsp?userJID=<%= jid.toString() %>&delete=true&mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"
+							<a href="muc-create-permission.jsp?userJID=<%= jid.toString() %>&delete=true&csrf=${csrf}&mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"
 							 title="<fmt:message key="muc.create.permission.click_title" />"
 							 onclick="return confirm('<fmt:message key="muc.create.permission.confirm_remove" />');"
 							 ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>

src/web/muc-default-settings.jsp

@@ -56,6 +56,18 @@
 
     // Handle a save
     Map<String,String> errors = new HashMap<String,String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (save) {
         try {
             int max = Integer.parseInt(maxUsers);
@@ -182,6 +194,7 @@
 
 <!-- BEGIN 'Default Room Settings' -->
 <form action="muc-default-settings.jsp?save" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
     <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
         <fmt:message key="muc.default.settings.title" />

src/web/muc-history-settings.jsp

@@ -58,6 +58,18 @@
     HistoryStrategy historyStrat = mucService.getHistoryStrategy();
 
     Map<String,String> errors = new HashMap<String,String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (update) {
         if (policy != ALL && policy != NONE && policy != NUMBER) {
             errors.put("general", "Please choose a valid chat history policy.");
@@ -135,6 +147,7 @@
 
 <!-- BEGIN 'History Settings' -->
 <form action="muc-history-settings.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
     <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="groupchat.history.settings.legend" />

src/web/muc-room-affiliations.jsp

@@ -26,6 +26,7 @@
                  org.jivesoftware.openfire.group.GroupJID,
                  org.jivesoftware.openfire.group.GroupManager,
                  org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.CookieUtils,
                  org.jivesoftware.util.StringUtils,
                  org.xmpp.packet.IQ"
     errorPage="error.jsp"
@@ -66,6 +67,18 @@
     }
 
     Map<String,String> errors = new HashMap<String,String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (add) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            add = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     // Handle an add
     if (add) {
         // do validation
@@ -214,6 +227,7 @@
 <%  } %>
 
 <form action="muc-room-affiliations.jsp?add" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="roomJID" value="<%= roomJID.toBareJID() %>">
 
 <fieldset>
@@ -282,7 +296,7 @@
                     <%= StringUtils.escapeHTMLTags(userDisplay) %></a>
                 </td>
                 <td width="1%" align="center">
-                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=owner"
+                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=owner&csrf=${csrf}"
                      title="<fmt:message key="global.click_delete" />"
                      onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
                      ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
@@ -321,7 +335,7 @@
                     <%= StringUtils.escapeHTMLTags(userDisplay) %></a>
                 </td>
                 <td width="1%" align="center">
-                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=admin"
+                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=admin&csrf=${csrf}"
                      title="<fmt:message key="global.click_delete" />"
                      onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
                      ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
@@ -362,7 +376,7 @@
                     <%= StringUtils.escapeHTMLTags(userDisplay) %></a><%= StringUtils.escapeHTMLTags(nickname) %>
                 </td>
                 <td width="1%" align="center">
-                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=member"
+                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=member&csrf=${csrf}"
                      title="<fmt:message key="global.click_delete" />"
                      onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
                      ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
@@ -401,7 +415,7 @@
                     <%= StringUtils.escapeHTMLTags(userDisplay) %></a>
                 </td>
                 <td width="1%" align="center">
-                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=outcast"
+                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=outcast&csrf=${csrf}"
                      title="<fmt:message key="global.click_delete" />"
                      onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
                      ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>

src/web/muc-room-delete.jsp

@@ -33,6 +33,17 @@
 <%  // Get parameters //
     boolean cancel = request.getParameter("cancel") != null;
     boolean delete = request.getParameter("delete") != null;
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            delete = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     JID roomJID = new JID(ParamUtils.getParameter(request,"roomJID"));
     String alternateJIDString = ParamUtils.getParameter(request,"alternateJID");
@@ -93,6 +104,7 @@
 </p>
 
 <form action="muc-room-delete.jsp">
+    <input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="roomJID" value="<%= StringUtils.escapeForXML(roomJID.toBareJID()) %>">
 
 <fieldset>

src/web/muc-room-edit-form.jsp

@@ -19,6 +19,7 @@
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
                  org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                  java.text.DateFormat,
                  java.util.*,
                  org.jivesoftware.openfire.muc.MUCRoom,
@@ -105,6 +106,18 @@
 
     // Handle an save
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (save) {
         // do validation
 
@@ -445,6 +458,7 @@
 <% if (!create) { %>
     <input type="hidden" name="roomJID" value="<%= StringUtils.escapeForXML(roomJID.toBareJID()) %>">
 <% } %>
+    <input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="save" value="true">
 <input type="hidden" name="create" value="<%= create %>">
 <input type="hidden" name="roomconfig_persistentroom" value="<%= persistentRoom %>">

src/web/muc-room-occupants.jsp

@@ -21,6 +21,7 @@
                  org.jivesoftware.openfire.muc.MUCRoom,
                  org.jivesoftware.util.ParamUtils,
                  org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                  java.net.URLEncoder,
                  java.text.DateFormat"
     errorPage="error.jsp"
@@ -39,6 +40,17 @@
     String nickName = ParamUtils.getParameter(request,"nickName");
     String kick = ParamUtils.getParameter(request,"kick");
     String roomName = roomJID.getNode();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (kick != null) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            kick = null;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Load the room object
     MUCRoom room = webManager.getMultiUserChatManager().getMultiUserChatService(roomJID).getChatRoom(roomName);
@@ -162,7 +174,7 @@
             <td><%= StringUtils.escapeHTMLTags(role.getNickname().toString()) %></td>
             <td><%= StringUtils.escapeHTMLTags(role.getRole().toString()) %></td>
             <td><%= StringUtils.escapeHTMLTags(role.getAffiliation().toString()) %></td>
-            <td><a href="muc-room-occupants.jsp?roomJID=<%= URLEncoder.encode(room.getJID().toBareJID(), "UTF-8") %>&nickName=<%= URLEncoder.encode(role.getNickname(), "UTF-8") %>&kick=1" title="<fmt:message key="muc.room.occupants.kick"/>"><img src="images/delete-16x16.gif" alt="<fmt:message key="muc.room.occupants.kick"/>" border="0" width="16" height="16"/></a></td>
+            <td><a href="muc-room-occupants.jsp?roomJID=<%= URLEncoder.encode(room.getJID().toBareJID(), "UTF-8") %>&nickName=<%= URLEncoder.encode(role.getNickname(), "UTF-8") %>&kick=1&csrf=${csrf}" title="<fmt:message key="muc.room.occupants.kick"/>"><img src="images/delete-16x16.gif" alt="<fmt:message key="muc.room.occupants.kick"/>" border="0" width="16" height="16"/></a></td>
         </tr>
         <% } %>
     </tbody>

src/web/muc-service-delete.jsp

@@ -34,6 +34,17 @@
     boolean delete = request.getParameter("delete") != null;
     String mucname = ParamUtils.getParameter(request,"mucname");
     String reason = ParamUtils.getParameter(request,"reason");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            delete = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Handle a cancel
     if (cancel) {
@@ -78,6 +89,7 @@
 </p>
 
 <form action="muc-service-delete.jsp">
+    <input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>">
 
 <fieldset>

src/web/muc-service-edit-form.jsp

@@ -19,11 +19,13 @@
 
 <%@ page import="org.jivesoftware.util.StringUtils,
                  org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.CookieUtils,
                  org.jivesoftware.util.AlreadyExistsException,
                  java.util.*"
     errorPage="error.jsp"
 %>
 <%@ page import="java.net.URLEncoder" %>
+<%@ page import="org.xmpp.packet.JID" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
 
@@ -45,6 +47,17 @@
     boolean success = request.getParameter("success") != null;
     String mucname = ParamUtils.getParameter(request,"mucname");
     String mucdesc = ParamUtils.getParameter(request,"mucdesc");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Load the service object
     if (!create && !webManager.getMultiUserChatManager().isServiceRegistered(mucname)) {
@@ -66,6 +79,12 @@
         // do validation
         if (mucname == null || mucname.indexOf('.') >= 0 || mucname.length() < 1) {
             errors.put("mucname","mucname");
+        } else {
+            try {
+                mucname = JID.domainprep(mucname);
+            } catch (Exception e) {
+                errors.put("mucname", e.getMessage());
+            }
         }
         if (errors.size() == 0) {
             if (!create) {
@@ -146,6 +165,7 @@
 
 <!-- BEGIN 'Service Name'-->
 <form action="muc-service-edit-form.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="save" value="true">
 <% if (!create) { %>
 <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>">

src/web/muc-service-summary.jsp

@@ -200,7 +200,7 @@
             <a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(service.getServiceName(), "UTF-8") %>"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(service.getServiceName())) %></a>
         </td>
         <td width="33%">
-            <%= service.getDescription() %> &nbsp;
+            <%= StringUtils.escapeHTMLTags(service.getDescription()) %> &nbsp;
         </td>
         <td width="5%">
             <a href="muc-room-summary.jsp?mucname==<%= URLEncoder.encode(service.getServiceName(), "UTF-8") %>"><%= service.getNumberChatRooms() %></a>

src/web/muc-sysadmins.jsp

@@ -52,6 +52,19 @@
 
     // Handle a save
     Map<String,String> errors = new HashMap<String,String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (add || delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            add = false;
+            delete = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     List<JID> allowedJIDs = new ArrayList<JID>();
     try {
     	if (userJID != null && userJID.trim().length() > 0) {
@@ -163,6 +176,7 @@
 
 <!-- BEGIN 'Administrators' -->
 <form action="muc-sysadmins.jsp?add" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
     <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="groupchat.admins.legend" />

src/web/muc-tasks.jsp

@@ -51,6 +51,19 @@
     MultiUserChatService mucService = webManager.getMultiUserChatManager().getMultiUserChatService(mucname);
 
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (kickSettings || logSettings) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            kickSettings = false;
+            logSettings = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     // Handle an update of the kicking task settings
     if (kickSettings) {
         if (!kickEnabled) {
@@ -187,6 +200,7 @@
 
 <!-- BEGIN 'Idle User Settings' -->
 <form action="muc-tasks.jsp?kickSettings" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
     <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="muc.tasks.user_setting" />
@@ -228,6 +242,7 @@
 
 <!-- BEGIN 'Conversation Logging' -->
 <form action="muc-tasks.jsp?logSettings" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
     <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="muc.tasks.conversation.logging" />

src/web/offline-messages.jsp

@@ -62,6 +62,18 @@
 
     // Update the session kick policy if requested
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (update) {
         // Validate params
         if (strategy != BOUNCE && strategy != DROP && strategy != STORE) {
@@ -199,6 +211,7 @@
 
 <!-- BEGIN 'Offline Message Policy' -->
 <form action="offline-messages.jsp">
+    <input type="hidden" name="csrf" value="${csrf}">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="offline.messages.policy" />
 	</div>

src/web/plugin-admin.jsp

@@ -15,6 +15,8 @@
 --%>
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.CookieUtils,
+                 org.jivesoftware.util.StringUtils,
                  org.jivesoftware.openfire.XMPPServer,
                  org.jivesoftware.openfire.container.Plugin,
                  org.jivesoftware.openfire.container.PluginManager,
@@ -50,12 +52,22 @@
     boolean uploadPlugin = request.getParameter("uploadplugin") != null;
     String url = request.getParameter("url");
     Boolean uploadEnabled = JiveGlobals.getBooleanProperty("plugins.upload.enabled", true);
+    boolean csrf_check = true;
 
     final PluginManager pluginManager = webManager.getXMPPServer().getPluginManager();
 
     List<Plugin> plugins = new ArrayList<Plugin>(pluginManager.getPlugins());
 
     UpdateManager updateManager = XMPPServer.getInstance().getUpdateManager();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+        csrf_check = false;
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     if (plugins != null) {
         Collections.sort(plugins, new Comparator<Plugin>() {
@@ -65,14 +77,14 @@
         });
     }
 
-    if (downloadRequested) {
+    if (csrf_check && downloadRequested) {
         // Download and install new version of plugin
         updateManager.downloadPlugin(url);
         // Log the event
         webManager.logEvent("downloaded plugin from "+url, null);
     }
 
-    if (deletePlugin != null) {
+    if (csrf_check && deletePlugin != null) {
         File pluginDir = pluginManager.getPluginDirectory(pluginManager.getPlugin(deletePlugin));
         File pluginJar = new File(pluginDir.getParent(), pluginDir.getName() + ".jar");
         // Also try the .war extension.
@@ -87,7 +99,7 @@
         return;
     }
 
-    if (reloadPlugin != null) {
+    if (csrf_check && reloadPlugin != null) {
         for (Plugin plugin : plugins) {
             File pluginDir = pluginManager.getPluginDirectory(plugin);
             if (reloadPlugin.equals(pluginDir.getName())) {
@@ -100,7 +112,7 @@
         }
     }
 
-    if (uploadEnabled && uploadPlugin) {
+    if (csrf_check && uploadEnabled && uploadPlugin) {
         Boolean installed = false;
 
         // Create a factory for disk-based file items
@@ -557,7 +569,7 @@ else if ("false".equals(request.getParameter("uploadsuccess"))) { %>
                 ><img src="images/refresh-16x16.gif" width="16" height="16" border="0" alt="<fmt:message key="global.refresh" />"></a>
     </td>
     <td width="1%" align="center" valign="top" class="<%= update != null ? "update-right" : "line-bottom-border"%>">
-        <a href="#" onclick="if (confirm('<fmt:message key="plugin.admin.confirm" />')) { location.replace('plugin-admin.jsp?deleteplugin=<%= dirName %>'); } "
+        <a href="#" onclick="if (confirm('<fmt:message key="plugin.admin.confirm" />')) { location.replace('plugin-admin.jsp?csrf=${csrf}&deleteplugin=<%= dirName %>'); } "
            title="<fmt:message key="global.click_delete" />"
                 ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt="<fmt:message key="global.delete" />"></a>
     </td>
@@ -570,7 +582,7 @@ else if ("false".equals(request.getParameter("uploadsuccess"))) { %>
     String updateURL = update.getURL();
     if (updateURL.endsWith(".jar") || updateURL.endsWith(".zip") || updateURL.endsWith(".war")) {
         // Change it so that the server downloads and installs the new version of the plugin
-        updateURL = "plugin-admin.jsp?download=true&url=" + updateURL;
+        updateURL = "plugin-admin.jsp?csrf=" + csrfParam + "download=true&url=" + updateURL;
     }
 %>
 <tr id="<%= update.hashCode() %>-row">
@@ -633,6 +645,7 @@ else if ("false".equals(request.getParameter("uploadsuccess"))) { %>
     <h3><fmt:message key="plugin.admin.upload_plugin" /></h3>
     <p><fmt:message key="plugin.admin.upload_plugin.info" /></p>
     <form action="plugin-admin.jsp?uploadplugin" enctype="multipart/form-data" method="post">
+        <input type="hidden" name="csrf" value="${csrf}">
         <input type="file" name="uploadfile" />
         <input type="submit" value="<fmt:message key="plugin.admin.upload_plugin" />" />
     </form>

src/web/private-data-settings.jsp

@@ -39,6 +39,17 @@
 <%  // Get parameters:
     boolean update = request.getParameter("update") != null;
     boolean privateEnabled = ParamUtils.getBooleanParameter(request,"privateEnabled");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Get an audit manager:
     PrivateStorage privateStorage = webManager.getPrivateStore();
@@ -72,6 +83,7 @@
 
 <!-- BEGIN 'Set Private Data Policy' -->
 <form action="private-data-settings.jsp">
+    <input type="hidden" name="csrf" value="${csrf}">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="private.data.settings.policy" />
 	</div>

src/web/reg-settings.jsp

@@ -20,6 +20,8 @@
 <%@ page import="org.jivesoftware.openfire.XMPPServer,
                  org.jivesoftware.openfire.handler.IQRegisterHandler,
                  org.jivesoftware.openfire.session.LocalClientSession,
+                 org.jivesoftware.util.CookieUtils,
+                 org.jivesoftware.util.StringUtils,
                  org.jivesoftware.util.ParamUtils"
     errorPage="error.jsp"
 %>
@@ -51,6 +53,17 @@
     String blockedIPs = request.getParameter("blockedIPs");
     // Get an IQRegisterHandler:
     IQRegisterHandler regHandler = XMPPServer.getInstance().getIQRegisterHandler();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     if (save) {
         regHandler.setInbandRegEnabled(inbandEnabled);
@@ -138,6 +151,7 @@
 </p>
 
 <form action="reg-settings.jsp">
+    <input type="hidden" name="csrf" value="${csrf}">
 
 <% if (save) { %>
 

src/web/security-certificate-store-management.jsp

@@ -7,6 +7,9 @@
 <%@ page import="org.jivesoftware.openfire.keystore.CertificateStoreConfiguration" %>
 <%@ page import="java.io.File" %>
 <%@ page import="org.jivesoftware.util.Log" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ taglib uri="admin" prefix="admin" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
@@ -23,7 +26,19 @@
     pageContext.setAttribute( "connectionTypes", ConnectionType.values() );
     pageContext.setAttribute( "certificateStoreManager", certificateStoreManager );
 
-    final boolean update = request.getParameter("update") != null;
+    boolean update = request.getParameter("update") != null;
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if ( update ) {
         ConnectionType connectionType = null;
         try {
@@ -130,6 +145,7 @@
     </c:set>
 
     <form action="security-certificate-store-management.jsp" method="post">
+        <input type="hidden" name="csrf" value="${csrf}">
         <input type="hidden" name="connectionType" value="${connectionType}"/>
 
         <admin:contentBox title="${title}">

src/web/security-keystore-signing-request.jsp

@@ -11,6 +11,7 @@
 <%@page import="org.bouncycastle.asn1.x509.Extension"%>
 <%@page import="org.bouncycastle.asn1.x500.X500NameBuilder"%>
 <%@page import="org.jivesoftware.util.CertificateManager"%>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
 <%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="java.util.HashMap" %>
@@ -27,7 +28,7 @@
     String domain = XMPPServer.getInstance().getServerInfo().getXMPPDomain();
 
      // Get parameters:
-    final boolean save              = ParamUtils.getParameter(request, "save") != null;
+    boolean save              = ParamUtils.getParameter(request, "save") != null;
     final String name               = domain;
     final String organizationalUnit = ParamUtils.getParameter(request, "ou");
     final String organization       = ParamUtils.getParameter(request, "o");
@@ -37,6 +38,18 @@
     final String connectionTypeText = ParamUtils.getParameter( request, "connectionType" );
 
     final Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     ConnectionType connectionType = null;
     IdentityStore identityStore = null;
@@ -160,6 +173,7 @@
 
 <!-- BEGIN 'Issuer information form' -->
 <form action="security-keystore-signing-request.jsp" method="post">
+    <input type="hidden" name="csrf" value="${csrf}">
     <input type="hidden" name="save" value="true">
     <input type="hidden" name="connectionType" value="${connectionType}">
     <div class="jive-contentBoxHeader">

src/web/security-keystore.jsp

@@ -2,6 +2,8 @@
 <%@page import="java.util.LinkedHashMap"%>
 <%@page import="java.security.PrivateKey"%>
 <%@page import="org.jivesoftware.util.CertificateManager"%>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page errorPage="error.jsp" %>
 
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
@@ -25,13 +27,27 @@
 <% webManager.init(request, response, session, application, out); %>
 
 <% // Get parameters:
-    final boolean generate          = ParamUtils.getBooleanParameter(request, "generate");
-    final boolean delete            = ParamUtils.getBooleanParameter(request, "delete");
-    final boolean importReply       = ParamUtils.getBooleanParameter(request, "importReply");
+    boolean generate          = ParamUtils.getBooleanParameter(request, "generate");
+    boolean delete            = ParamUtils.getBooleanParameter(request, "delete");
+    boolean importReply       = ParamUtils.getBooleanParameter(request, "importReply");
     final String alias              = ParamUtils.getParameter( request, "alias" );
     final String connectionTypeText = ParamUtils.getParameter( request, "connectionType" );
 
     final Map<String, String> errors = new HashMap<>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (generate | delete | importReply) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            generate = false;
+            delete = false;
+            importReply = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     ConnectionType connectionType = null;
     IdentityStore identityStore = null;
@@ -174,7 +190,7 @@
         <c:if test="${not validDSACert or not validRSACert}">
             <admin:infobox type="warning">
                 <fmt:message key="ssl.certificates.keystore.no_installed">
-                    <fmt:param value="<a href='security-keystore.jsp?generate=true&connectionType=${connectionType}'>"/>
+                    <fmt:param value="<a href='security-keystore.jsp?csrf=${csrf}&generate=true&connectionType=${connectionType}'>"/>
                     <fmt:param value="</a>"/>
                     <fmt:param value="<a href='import-keystore-certificate.jsp?connectionType=${connectionType}'>"/>
                     <fmt:param value="</a>"/>
@@ -305,7 +321,7 @@
                                     <c:out value="${certificate.publicKey.algorithm}"/>
                                 </td>
                                 <td width="1" align="center">
-                                    <a href="security-keystore.jsp?alias=${alias}&connectionType=${connectionType}&delete=true"
+                                    <a href="security-keystore.jsp?csrf=${csrf}&alias=${alias}&connectionType=${connectionType}&delete=true"
                                        title="<fmt:message key="global.click_delete"/>"
                                        onclick="return confirm('<fmt:message key="ssl.certificates.confirm_delete"/>');"
                                             ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
@@ -314,6 +330,7 @@
 
                             <% if (isSigningPending) { %>
                             <form action="security-keystore.jsp?connectionType=${connectionType}" method="post">
+                                <input type="hidden" name="csrf" value="${csrf}">
                                 <input type="hidden" name="importReply" value="true">
                                 <input type="hidden" name="alias" value="${alias}">
                                 <tr>

src/web/security-truststore.jsp

 <%@ page errorPage="error.jsp"%>
 <%@ page import="org.jivesoftware.openfire.keystore.TrustStore"%>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType"%>
-<%@ page import="org.jivesoftware.util.ParamUtils"%>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="java.util.Collections" %>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
@@ -17,12 +19,24 @@
 <jsp:useBean id="now" class="java.util.Date"/>
 <%  webManager.init(request, response, session, application, out );
 
-    final boolean delete          = ParamUtils.getBooleanParameter( request, "delete" );
+    boolean delete          = ParamUtils.getBooleanParameter( request, "delete" );
     final String alias            = ParamUtils.getParameter( request, "alias" );
 
     final String connectionTypeText = ParamUtils.getParameter( request, "connectionType" );
 
     final Map<String, String> errors = new HashMap<>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            delete = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     ConnectionType connectionType = null;
     TrustStore trustStore = null;
@@ -207,7 +221,7 @@
                                         <c:out value="${certificate.publicKey.algorithm}"/>
                                     </td>
                                     <td width="1" align="center">
-                                        <a href="security-truststore.jsp?connectionType=${connectionType}&alias=${alias}&delete=true"
+                                        <a href="security-truststore.jsp?connectionType=${connectionType}&alias=${alias}&delete=true&csrf=csrf"
                                            title="<fmt:message key="global.click_delete"/>"
                                            onclick="return confirm('<fmt:message key="ssl.certificates.confirm_delete"/>');"
                                                 ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>

src/web/server-locale.jsp

@@ -20,6 +20,8 @@
 <%@ page import="org.jivesoftware.util.JiveGlobals,
                  org.jivesoftware.util.LocaleUtils,
                  org.jivesoftware.util.Log,
+                 org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                  org.jivesoftware.util.ParamUtils"
 %>
 <%@ page import="java.util.HashMap"%>
@@ -40,6 +42,18 @@
 
     // TODO: We're not displaying this error ever.
     Map<String,String> errors = new HashMap<String,String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (save) {
         // Set the timezeone
         try {
@@ -90,6 +104,7 @@
 
 <!-- BEGIN locale settings -->
 <form action="server-locale.jsp" method="post" name="sform">
+    <input type="hidden" name="csrf" value="${csrf}">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="locale.system.set" />
 	</div>

src/web/server-properties.jsp

@@ -72,6 +72,21 @@
         return;
     }
 
+    Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (encrypt || save || delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            encrypt = false;
+            save = false;
+            delete = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (delete) {
         if (propName != null) {
             JiveGlobals.deleteProperty(propName);
@@ -82,7 +97,6 @@
         }
     }
 
-    Map<String, String> errors = new HashMap<String, String>();
     if (save) {
         if (propName == null || "".equals(propName.trim()) || propName.startsWith("\"")) {
             errors.put("propName","");
@@ -254,6 +268,7 @@ function dodelete(propName) {
 </script>
 
 <form action="server-properties.jsp" method="post" name="propform">
+<input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="edit" value="">
 <input type="hidden" name="encrypt" value="">
 <input type="hidden" name="del" value="">
@@ -346,6 +361,7 @@ function dodelete(propName) {
 
 <a name="edit"></a>
 <form action="server-properties.jsp" method="post" name="editform">
+<input type="hidden" name="csrf" value="${csrf}">
 
 <div class="jive-table">
 <table cellpadding="0" cellspacing="0" border="0" width="100%">

src/web/server-props.jsp

@@ -19,6 +19,8 @@
 
 <%@ page import="org.jivesoftware.util.JiveGlobals,
                  org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.CookieUtils,
+                 org.jivesoftware.util.StringUtils,
                  org.jivesoftware.openfire.ConnectionManager,
                  org.jivesoftware.openfire.XMPPServer,
                  org.jivesoftware.openfire.JMXManager,
@@ -76,6 +78,18 @@
     XMPPServer server = webManager.getXMPPServer();
     ConnectionManager connectionManager = XMPPServer.getInstance().getConnectionManager();
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (save) {
         if (serverName == null) {
             errors.put("serverName", "");
@@ -206,6 +220,7 @@
 <%  } %>
 
 <form action="server-props.jsp" name="editform" method="post">
+        <input type="hidden" name="csrf" value="${csrf}">
 
 <div class="jive-table">
 <table cellpadding="0" cellspacing="0" border="0" width="100%">

src/web/server-session-row.jspf

@@ -120,7 +120,7 @@
     </td>
 
     <td width="1%" nowrap align="center" style="border-right:1px #ccc solid;">
-        <a href="server-session-summary.jsp?hostname=<%= URLEncoder.encode(host, "UTF-8") %>&close=true"
+        <a href="server-session-summary.jsp?hostname=<%= URLEncoder.encode(host, "UTF-8") %>&close=true&csrf=${csrf}"
          title="<fmt:message key="session.row.cliked_kill_session" />"
          onclick="return confirm('<fmt:message key="session.row.confirm_close" />');"
          ><img src="images/delete-16x16.gif" width="16" height="16" border="0"></a>

src/web/server-session-summary.jsp

@@ -21,6 +21,8 @@
                  org.jivesoftware.openfire.session.OutgoingServerSession,
                  org.jivesoftware.openfire.session.Session,
                  org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                  java.util.*"
     errorPage="error.jsp"
 %>
@@ -41,6 +43,17 @@
     boolean close = ParamUtils.getBooleanParameter(request,"close");
     String hostname = ParamUtils.getParameter(request,"hostname");
 
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (close) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            close = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (request.getParameter("range") != null) {
         webManager.setRowsPerPage("server-session-summary", range);
     }

src/web/session-conflict.jsp

@@ -49,6 +49,18 @@
 
     // Update the session kick policy if requested
     Map<String,String> errors = new HashMap<String,String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (update) {
         // Validate params
         if (kickPolicy != 0 && kickPolicy != 1 && kickPolicy != SessionManager.NEVER_KICK) {
@@ -93,6 +105,7 @@
 
 <!-- BEGIN 'Set Conflict Policy' -->
 <form action="session-conflict.jsp" method="post">
+        <input type="hidden" name="csrf" value="${csrf}">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="session.conflict.policy" />
 	</div>

src/web/session-details.jsp

@@ -26,6 +26,7 @@
                  org.jivesoftware.util.JiveGlobals,
                  org.jivesoftware.util.ParamUtils,
                  org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                  java.text.NumberFormat,
                  java.util.Collection"
     errorPage="error.jsp"
@@ -41,6 +42,14 @@
 <% // Get parameters
     String jid = ParamUtils.getParameter(request, "jid");
 
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    // ATTN: No check here, because no actions.
+
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
    // Handle a "go back" click:
     if (request.getParameter("back") != null) {
         response.sendRedirect("session-summary.jsp");
@@ -71,9 +80,11 @@
 
     // Handle a "message" click:
     if (request.getParameter("message") != null) {
+        if (csrfCookie != null && csrfParam != null && csrfCookie.getValue().equals(csrfParam)) {
             response.sendRedirect("user-message.jsp?username=" + URLEncoder.encode(user.getUsername(), "UTF-8"));
             return;
         }
+    }
 
     // See if there are multiple sessions for this user:
     Collection<ClientSession> sessions = null;

src/web/session-row.jspf

@@ -178,7 +178,7 @@
     </td>
 
     <td width="1%" nowrap align="center" style="border-right:1px #ccc solid;">
-        <a href="session-summary.jsp?jid=<%= URLEncoder.encode(sess.getAddress().toString(), "UTF-8") %>&close=true"
+        <a href="session-summary.jsp?jid=<%= URLEncoder.encode(sess.getAddress().toString(), "UTF-8") %>&close=true&csrf=${csrf}"
          title="<fmt:message key="session.row.cliked_kill_session" />"
          onclick="return confirm('<fmt:message key="session.row.confirm_close" />');"
          ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>

src/web/session-summary.jsp

@@ -22,6 +22,8 @@
                  org.jivesoftware.openfire.session.ClientSession,
                  org.jivesoftware.util.JiveGlobals,
                  org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.CookieUtils,
+                 org.jivesoftware.util.StringUtils,
                  java.util.Collection"
     errorPage="error.jsp"
 %>
@@ -68,6 +70,17 @@
     // Get the session count
     int sessionCount = sessionManager.getUserSessionsCount(false);
 
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (close) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            close = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     // Close a connection if requested
     if (close) {
         JID address = new JID(jid);

src/web/system-cache.jsp

 <%@ page import="org.jivesoftware.util.cache.Cache"%>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
 <%@ page import="org.jivesoftware.util.StringUtils"%>
+<%@ page import="org.jivesoftware.util.CookieUtils"%>
 <%@ page import="java.text.DecimalFormat"%>
 <%--
   -	$RCSfile$
@@ -108,6 +109,17 @@
     // Get the list of existing caches
     Cache[] caches = webManager.getCaches();
 
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (doClearCache) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            doClearCache = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     // Clear one or multiple caches if requested.
     if (doClearCache) {
         for (int cacheID : cacheIDs) {
@@ -152,6 +164,7 @@
 %>
 
 <form action="system-cache.jsp" method="post" name="cacheForm">
+        <input type="hidden" name="csrf" value="${csrf}">
 
 <div class="jive-table">
 <table cellpadding="0" cellspacing="0" border="0" width="100%">

src/web/system-clustering.jsp

@@ -31,6 +31,8 @@
 <%@ page import="org.jivesoftware.util.JiveGlobals" %>
 <%@ page import="org.jivesoftware.util.Log" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.jivesoftware.util.cache.CacheFactory" %>
 <%@ page import="java.text.DecimalFormat" %>
 <%@ page import="java.util.Arrays" %>
@@ -60,6 +62,17 @@
     boolean clusteringEnabled = ParamUtils.getBooleanParameter(request, "clusteringEnabled");
     boolean updateSucess = false;
 
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (update) {
         if (!clusteringEnabled) {
             ClusterManager.setClusteringEnabled(false);
@@ -187,6 +200,7 @@
 
 <!-- BEGIN 'Clustering Enabled' -->
 <form action="system-clustering.jsp" method="post">
+        <input type="hidden" name="csrf" value="${csrf}">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="system.clustering.enabled.legend" />
 	</div>

src/web/system-email.jsp

@@ -36,6 +36,17 @@
     boolean test = request.getParameter("test") != null;
     boolean debug = ParamUtils.getBooleanParameter(request, "debug");
 
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     // Handle a test request
     if (test) {
         response.sendRedirect("system-emailtest.jsp");

src/web/system-emailtest.jsp

@@ -53,6 +53,18 @@
 
     // Validate input
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (doTest) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            doTest = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (doTest) {
         if (from == null) {
             errors.put("from", "");
@@ -215,6 +227,7 @@ function checkClick(el) {
 <%  } %>
 
 <form action="system-emailtest.jsp" method="post" name="f" onsubmit="return checkClick(this);">
+        <input type="hidden" name="csrf" value="${csrf}">
 
 <table cellpadding="3" cellspacing="0" border="0">
 <tbody>

src/web/user-create.jsp

@@ -45,8 +45,20 @@
     String password = ParamUtils.getParameter(request,"password");
     String passwordConfirm = ParamUtils.getParameter(request,"passwordConfirm");
     boolean isAdmin = ParamUtils.getBooleanParameter(request,"isadmin");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
 
     Map<String, String> errors = new HashMap<String, String>();
+    if (create) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            create = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
+
     // Handle a cancel
     if (cancel) {
         response.sendRedirect("user-summary.jsp");
@@ -203,6 +215,7 @@
 <%  } %>
 
 <form name="f" action="user-create.jsp" method="get">
+    <input type="hidden" name="csrf" value="${csrf}">
 
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="user.create.new_user" />

src/web/user-delete.jsp

@@ -25,6 +25,7 @@
 <%@ page import="org.jivesoftware.openfire.user.UserManager" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
 <%@ page import="org.jivesoftware.util.StringUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
 <%@ page import="org.xmpp.packet.JID" %>
 <%@ page import="org.xmpp.packet.StreamError" %>
 <%@ page import="java.net.URLEncoder" %>
@@ -39,6 +40,17 @@
     boolean cancel = request.getParameter("cancel") != null;
     boolean delete = request.getParameter("delete") != null;
     String username = ParamUtils.getParameter(request,"username");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            delete = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Handle a cancel
     if (cancel) {
@@ -107,6 +119,7 @@
 </c:if>
 
 <form action="user-delete.jsp">
+    <input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
 <input type="submit" name="delete" value="<fmt:message key="user.delete.delete" />">
 <input type="submit" name="cancel" value="<fmt:message key="global.cancel" />">

src/web/user-edit-form.jsp

@@ -19,6 +19,7 @@
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
                  org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                  org.jivesoftware.openfire.user.*,
                  java.net.URLEncoder"
     errorPage="error.jsp"
@@ -42,6 +43,17 @@
     String email = ParamUtils.getParameter(request,"email");
     boolean isAdmin = ParamUtils.getBooleanParameter(request,"isadmin");
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            errors.put("csrf", "CSRF Failure");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Handle a cancel
     if (request.getParameter("cancel") != null) {
@@ -113,6 +125,8 @@
                 <fmt:message key="user.create.invalid_name" />
             <% } else if (errors.get("email") != null) { %>
                 <fmt:message key="user.create.invalid_email" />
+            <% } else if (errors.get("csrf") != null) { %>
+                CSRF Failure!
             <% } %>
             </td>
         </tr>
@@ -142,6 +156,7 @@
 
 <form action="user-edit-form.jsp">
 
+<input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
 <input type="hidden" name="save" value="true">
 

src/web/user-groups.jsp

@@ -31,6 +31,7 @@
 <%@ page import="org.jivesoftware.util.Log"%>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
 <%@ page import="org.jivesoftware.util.StringUtils"%>
+<%@ page import="org.jivesoftware.util.CookieUtils"%>
 <%@ page import="org.xmpp.packet.JID"%>
 <%@ page import="org.xmpp.packet.Presence"%>
 <%@ page import="java.io.UnsupportedEncodingException"%>
@@ -54,6 +55,20 @@
 	String username = StringUtils.escapeHTMLTags(ParamUtils.getParameter(request, "username"));
 	JID jid = webManager.getXMPPServer().createJID(username, null);
 
+	    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+        String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+        if (add != null || delete != null) {
+            if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+                add = null;
+                delete = null;
+            }
+        }
+        csrfParam = StringUtils.randomString(15);
+        CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+        pageContext.setAttribute("csrf", csrfParam);
+
+
     if(add != null) {
     	try {
     		Group group = webManager.getGroupManager().getGroup(add);
@@ -191,7 +206,7 @@
  %></td>
 
 					<td width="5%"><a
-						href="user-groups.jsp?username=<%=URLEncoder.encode(user.getUsername(), "UTF-8")%>&delete=<%=groupName%>"
+						href="user-groups.jsp?username=<%=URLEncoder.encode(user.getUsername(), "UTF-8")%>&delete=<%=groupName%>&csrf=${csrf}"
 						title="<fmt:message key="global.click_delete" />"><img
 							src="images/delete-16x16.gif" width="16" height="16" border="0"
 							alt="<fmt:message key="global.click_delete" />"></a></td>
@@ -319,7 +334,7 @@
  %></td>
 
 					<td width="5%"><a
-						href="user-groups.jsp?username=<%=URLEncoder.encode(user.getUsername(), "UTF-8")%>&add=<%=groupName%>"
+						href="user-groups.jsp?username=<%=URLEncoder.encode(user.getUsername(), "UTF-8")%>&add=<%=groupName%>&csrf=${csrf}"
 						title="<fmt:message key="global.click_add" />"> <img
 							src="images/add-16x16.gif" width="16" height="16" border="0"
 							alt="<fmt:message key="global.click_add" />"></a></td>

src/web/user-lockout.jsp

@@ -25,6 +25,7 @@
 <%@ page import="org.jivesoftware.openfire.session.ClientSession" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
 <%@ page import="org.jivesoftware.util.StringUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
 <%@ page import="org.xmpp.packet.JID" %>
 <%@ page import="org.xmpp.packet.StreamError" %>
 <%@ page import="java.net.URLEncoder" %>
@@ -50,6 +51,17 @@
     if (duration == -2) {
         duration = ParamUtils.getIntParameter(request,"duration_custom", -1);   
     }
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+    if (lock || unlock) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            lock = false;
+            unlock = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Handle a cancel
     if (cancel) {
@@ -146,6 +158,7 @@
 
 <form action="user-lockout.jsp">
     <input type="hidden" name="username" value="${usernameHtmlEscaped}">
+    <input type="hidden" name="csrf" value="${csrf}">
     <input type="submit" name="unlock" value="<fmt:message key="user.lockout.unlock" />">
     <input type="submit" name="cancel" value="<fmt:message key="global.cancel" />">
 </form>
@@ -169,6 +182,7 @@
 </c:if>
 
 <form action="user-lockout.jsp">
+    <input type="hidden" name="csrf" value="${csrf}">
     <% if (LockOutManager.getLockOutProvider().isDelayedStartSupported()) { %>
     <b><fmt:message key="user.lockout.time.startdelay" /></b><br />
     <input type="radio" name="startdelay" value="-1" checked="checked" /> <fmt:message key="user.lockout.time.immediate" /><br />

src/web/user-message.jsp

@@ -20,6 +20,7 @@
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
                  org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                  org.jivesoftware.openfire.SessionManager,
                  org.jivesoftware.openfire.session.ClientSession,
                  org.jivesoftware.openfire.user.User,
@@ -71,6 +72,18 @@
 
     // Handle the request to send a message:
     Map<String,String> errors = new HashMap<String,String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (send) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            send = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (send) {
         // Validate the message and jid
         if (jid == null && !sendToAll && user != null) {
@@ -169,6 +182,7 @@ function updateSelect(el) {
 </script>
 
 <form action="user-message.jsp" method="post" name="f">
+        <input type="hidden" name="csrf" value="${csrf}">
 <% if(username != null){ %>
 <input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
 <% } %>

src/web/user-password.jsp

@@ -35,6 +35,17 @@
     String username = ParamUtils.getParameter(request,"username");
     String password = ParamUtils.getParameter(request,"password");
     String passwordConfirm = ParamUtils.getParameter(request,"passwordConfirm");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Handle a cancel
     if (cancel) {
@@ -133,6 +144,7 @@
 
 <form action="user-password.jsp" name="passform" method="post">
 <input type="hidden" name="username" value="<%=StringUtils.escapeForXML(username) %>">
+    <input type="hidden" name="csrf" value="${csrf}">
 
 <fieldset>
     <legend><fmt:message key="user.password.change" /></legend>

src/web/user-roster-add.jsp

@@ -50,6 +50,18 @@
         response.sendRedirect("user-roster.jsp?username=" + URLEncoder.encode(username, "UTF-8"));
         return;
     }
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (add) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            add = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Handle a request to create a user:
     if (add) {
@@ -155,6 +167,7 @@
 <%  } %>
 
 <form name="f" action="user-roster-add.jsp" method="get">
+        <input type="hidden" name="csrf" value="${csrf}">
 
 <input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
 

src/web/user-roster-delete.jsp

@@ -42,6 +42,17 @@
     pageContext.setAttribute( "usernameUrlEncoded", usernameUrlEncoded);
     pageContext.setAttribute( "jid", jid);
 
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            delete = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     // Handle a cancel
     if (cancel) {
         response.sendRedirect("user-roster.jsp?username=" + usernameUrlEncoded);
@@ -79,6 +90,7 @@
     </p>
 
     <form action="user-roster-delete.jsp">
+        <input type="hidden" name="csrf" value="${csrf}">
     <input type="hidden" name="username" value="${usernameUrlEncoded}">
     <input type="hidden" name="jid" value="${jid}">
     <input type="submit" name="delete" value="<fmt:message key="user.roster.delete.delete" />">

src/web/user-roster-edit.jsp

@@ -19,6 +19,7 @@
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
                  org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                  java.net.URLEncoder"
     errorPage="error.jsp"
 %><%@ page import="org.xmpp.packet.JID"%>
@@ -54,6 +55,17 @@
 
     // Load the roster item from the user's roster.
     RosterItem item = roster.getRosterItem(new JID(jid));
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Handle a roster item delete:
     if (save) {
@@ -91,6 +103,7 @@
 </p>
 
 <form action="user-roster-edit.jsp">
+        <input type="hidden" name="csrf" value="${csrf}">
 
 <input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
 <input type="hidden" name="jid" value="<%= StringUtils.escapeForXML(jid) %>">

src/web/user-roster-view.jsp

@@ -19,6 +19,7 @@
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
                  org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                  java.net.URLEncoder"
     errorPage="error.jsp"
 %><%@ page import="org.xmpp.packet.JID"%>
@@ -54,6 +55,17 @@
     // Load the roster item from the user's roster.
     RosterItem item = roster.getRosterItem(new JID(jid));
 
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     // Handle a roster item delete:
     if (save) {
         List<String> groupList = new ArrayList<String>();