OF-777 CVE-2015-6973 CSRF protection (part 4)

7c49987e · Dave Cridland · d17904be · 7c49987e · 7c49987e · 7c49987e
Commit 7c49987e authored Mar 30, 2016 by Dave Cridland
19 changed files
--- a/src/web/server-locale.jsp
+++ b/src/web/server-locale.jsp
@@ -20,6 +20,8 @@
 <%@ page import="org.jivesoftware.util.JiveGlobals,
                 org.jivesoftware.util.LocaleUtils,
                 org.jivesoftware.util.Log,
+                 org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                 org.jivesoftware.util.ParamUtils"
 %>
 <%@ page import="java.util.HashMap"%>
@@ -40,6 +42,18 @@

    // TODO: We're not displaying this error ever.
    Map<String,String> errors = new HashMap<String,String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
    if (save) {
        // Set the timezeone
        try {
@@ -90,6 +104,7 @@

 <!-- BEGIN locale settings -->
 <form action="server-locale.jsp" method="post" name="sform">
+    <input type="hidden" name="csrf" value="${csrf}">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="locale.system.set" />
 	</div>

--- a/src/web/server-properties.jsp
+++ b/src/web/server-properties.jsp
@@ -72,6 +72,21 @@
        return;
    }

+    Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (encrypt || save || delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            encrypt = false;
+            save = false;
+            delete = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
    if (delete) {
        if (propName != null) {
            JiveGlobals.deleteProperty(propName);
@@ -82,7 +97,6 @@
        }
    }

-    Map<String, String> errors = new HashMap<String, String>();
    if (save) {
        if (propName == null || "".equals(propName.trim()) || propName.startsWith("\"")) {
            errors.put("propName","");
@@ -254,6 +268,7 @@ function dodelete(propName) {
 </script>

 <form action="server-properties.jsp" method="post" name="propform">
+<input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="edit" value="">
 <input type="hidden" name="encrypt" value="">
 <input type="hidden" name="del" value="">
@@ -346,6 +361,7 @@ function dodelete(propName) {

 <a name="edit"></a>
 <form action="server-properties.jsp" method="post" name="editform">
+<input type="hidden" name="csrf" value="${csrf}">

 <div class="jive-table">
 <table cellpadding="0" cellspacing="0" border="0" width="100%">

--- a/src/web/server-props.jsp
+++ b/src/web/server-props.jsp
@@ -19,6 +19,8 @@

 <%@ page import="org.jivesoftware.util.JiveGlobals,
                 org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.CookieUtils,
+                 org.jivesoftware.util.StringUtils,
                 org.jivesoftware.openfire.ConnectionManager,
                 org.jivesoftware.openfire.XMPPServer,
                 org.jivesoftware.openfire.JMXManager,
@@ -76,6 +78,18 @@
    XMPPServer server = webManager.getXMPPServer();
    ConnectionManager connectionManager = XMPPServer.getInstance().getConnectionManager();
    Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
    if (save) {
        if (serverName == null) {
            errors.put("serverName", "");
@@ -206,6 +220,7 @@
 <%  } %>

 <form action="server-props.jsp" name="editform" method="post">
+        <input type="hidden" name="csrf" value="${csrf}">

 <div class="jive-table">
 <table cellpadding="0" cellspacing="0" border="0" width="100%">

--- a/src/web/server-session-row.jspf
+++ b/src/web/server-session-row.jspf
@@ -120,7 +120,7 @@
    </td>

    <td width="1%" nowrap align="center" style="border-right:1px #ccc solid;">
-        <a href="server-session-summary.jsp?hostname=<%= URLEncoder.encode(host, "UTF-8") %>&close=true"
+        <a href="server-session-summary.jsp?hostname=<%= URLEncoder.encode(host, "UTF-8") %>&close=true&csrf=${csrf}"
         title="<fmt:message key="session.row.cliked_kill_session" />"
         onclick="return confirm('<fmt:message key="session.row.confirm_close" />');"
         ><img src="images/delete-16x16.gif" width="16" height="16" border="0"></a>

--- a/src/web/server-session-summary.jsp
+++ b/src/web/server-session-summary.jsp
@@ -21,6 +21,8 @@
                 org.jivesoftware.openfire.session.OutgoingServerSession,
                 org.jivesoftware.openfire.session.Session,
                 org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                 java.util.*"
    errorPage="error.jsp"
 %>
@@ -41,6 +43,17 @@
    boolean close = ParamUtils.getBooleanParameter(request,"close");
    String hostname = ParamUtils.getParameter(request,"hostname");

+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (close) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            close = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
    if (request.getParameter("range") != null) {
        webManager.setRowsPerPage("server-session-summary", range);
    }

--- a/src/web/session-conflict.jsp
+++ b/src/web/session-conflict.jsp
@@ -49,6 +49,18 @@

    // Update the session kick policy if requested
    Map<String,String> errors = new HashMap<String,String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
    if (update) {
        // Validate params
        if (kickPolicy != 0 && kickPolicy != 1 && kickPolicy != SessionManager.NEVER_KICK) {
@@ -93,6 +105,7 @@

 <!-- BEGIN 'Set Conflict Policy' -->
 <form action="session-conflict.jsp" method="post">
+        <input type="hidden" name="csrf" value="${csrf}">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="session.conflict.policy" />
 	</div>

--- a/src/web/session-details.jsp
+++ b/src/web/session-details.jsp
@@ -26,6 +26,7 @@
                 org.jivesoftware.util.JiveGlobals,
                 org.jivesoftware.util.ParamUtils,
                 org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                 java.text.NumberFormat,
                 java.util.Collection"
    errorPage="error.jsp"
@@ -41,7 +42,15 @@
 <% // Get parameters
    String jid = ParamUtils.getParameter(request, "jid");

-    // Handle a "go back" click:
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    // ATTN: No check here, because no actions.
+
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
+   // Handle a "go back" click:
    if (request.getParameter("back") != null) {
        response.sendRedirect("session-summary.jsp");
        return;
@@ -71,8 +80,10 @@

    // Handle a "message" click:
    if (request.getParameter("message") != null) {
-        response.sendRedirect("user-message.jsp?username=" + URLEncoder.encode(user.getUsername(), "UTF-8"));
-        return;
+        if (csrfCookie != null && csrfParam != null && csrfCookie.getValue().equals(csrfParam)) {
+            response.sendRedirect("user-message.jsp?username=" + URLEncoder.encode(user.getUsername(), "UTF-8"));
+            return;
+        }
    }

    // See if there are multiple sessions for this user:

--- a/src/web/session-row.jspf
+++ b/src/web/session-row.jspf
@@ -178,7 +178,7 @@
    </td>

    <td width="1%" nowrap align="center" style="border-right:1px #ccc solid;">
-        <a href="session-summary.jsp?jid=<%= URLEncoder.encode(sess.getAddress().toString(), "UTF-8") %>&close=true"
+        <a href="session-summary.jsp?jid=<%= URLEncoder.encode(sess.getAddress().toString(), "UTF-8") %>&close=true&csrf=${csrf}"
         title="<fmt:message key="session.row.cliked_kill_session" />"
         onclick="return confirm('<fmt:message key="session.row.confirm_close" />');"
         ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>

--- a/src/web/session-summary.jsp
+++ b/src/web/session-summary.jsp
@@ -22,6 +22,8 @@
                 org.jivesoftware.openfire.session.ClientSession,
                 org.jivesoftware.util.JiveGlobals,
                 org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.CookieUtils,
+                 org.jivesoftware.util.StringUtils,
                 java.util.Collection"
    errorPage="error.jsp"
 %>
@@ -68,6 +70,17 @@
    // Get the session count
    int sessionCount = sessionManager.getUserSessionsCount(false);

+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (close) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            close = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
    // Close a connection if requested
    if (close) {
        JID address = new JID(jid);

--- a/src/web/system-cache.jsp
+++ b/src/web/system-cache.jsp
 <%@ page import="org.jivesoftware.util.cache.Cache"%>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
 <%@ page import="org.jivesoftware.util.StringUtils"%>
+<%@ page import="org.jivesoftware.util.CookieUtils"%>
 <%@ page import="java.text.DecimalFormat"%>
 <%--
  -	$RCSfile$
@@ -108,6 +109,17 @@
    // Get the list of existing caches
    Cache[] caches = webManager.getCaches();

+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (doClearCache) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            doClearCache = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
    // Clear one or multiple caches if requested.
    if (doClearCache) {
        for (int cacheID : cacheIDs) {
@@ -152,6 +164,7 @@
 %>

 <form action="system-cache.jsp" method="post" name="cacheForm">
+        <input type="hidden" name="csrf" value="${csrf}">

 <div class="jive-table">
 <table cellpadding="0" cellspacing="0" border="0" width="100%">

--- a/src/web/system-clustering.jsp
+++ b/src/web/system-clustering.jsp
@@ -31,6 +31,8 @@
 <%@ page import="org.jivesoftware.util.JiveGlobals" %>
 <%@ page import="org.jivesoftware.util.Log" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.jivesoftware.util.cache.CacheFactory" %>
 <%@ page import="java.text.DecimalFormat" %>
 <%@ page import="java.util.Arrays" %>
@@ -60,6 +62,17 @@
    boolean clusteringEnabled = ParamUtils.getBooleanParameter(request, "clusteringEnabled");
    boolean updateSucess = false;

+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
    if (update) {
        if (!clusteringEnabled) {
            ClusterManager.setClusteringEnabled(false);
@@ -187,6 +200,7 @@

 <!-- BEGIN 'Clustering Enabled' -->
 <form action="system-clustering.jsp" method="post">
+        <input type="hidden" name="csrf" value="${csrf}">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="system.clustering.enabled.legend" />
 	</div>

--- a/src/web/system-email.jsp
+++ b/src/web/system-email.jsp
@@ -36,6 +36,17 @@
    boolean test = request.getParameter("test") != null;
    boolean debug = ParamUtils.getBooleanParameter(request, "debug");

+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
    // Handle a test request
    if (test) {
        response.sendRedirect("system-emailtest.jsp");

--- a/src/web/system-emailtest.jsp
+++ b/src/web/system-emailtest.jsp
@@ -53,6 +53,18 @@

    // Validate input
    Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (doTest) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            doTest = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
    if (doTest) {
        if (from == null) {
            errors.put("from", "");
@@ -215,6 +227,7 @@ function checkClick(el) {
 <%  } %>

 <form action="system-emailtest.jsp" method="post" name="f" onsubmit="return checkClick(this);">
+        <input type="hidden" name="csrf" value="${csrf}">

 <table cellpadding="3" cellspacing="0" border="0">
 <tbody>

--- a/src/web/user-groups.jsp
+++ b/src/web/user-groups.jsp
@@ -31,6 +31,7 @@
 <%@ page import="org.jivesoftware.util.Log"%>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
 <%@ page import="org.jivesoftware.util.StringUtils"%>
+<%@ page import="org.jivesoftware.util.CookieUtils"%>
 <%@ page import="org.xmpp.packet.JID"%>
 <%@ page import="org.xmpp.packet.Presence"%>
 <%@ page import="java.io.UnsupportedEncodingException"%>
@@ -53,7 +54,21 @@
 	boolean success = ParamUtils.getBooleanParameter(request,"updatesuccess");
 	String username = StringUtils.escapeHTMLTags(ParamUtils.getParameter(request, "username"));
 	JID jid = webManager.getXMPPServer().createJID(username, null);
-	
+
+	    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+        String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+        if (add != null || delete != null) {
+            if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+                add = null;
+                delete = null;
+            }
+        }
+        csrfParam = StringUtils.randomString(15);
+        CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+        pageContext.setAttribute("csrf", csrfParam);
+
+
    if(add != null) {
    	try {
    		Group group = webManager.getGroupManager().getGroup(add);
@@ -191,7 +206,7 @@
 %></td>

 					<td width="5%"><a
-						href="user-groups.jsp?username=<%=URLEncoder.encode(user.getUsername(), "UTF-8")%>&delete=<%=groupName%>"
+						href="user-groups.jsp?username=<%=URLEncoder.encode(user.getUsername(), "UTF-8")%>&delete=<%=groupName%>&csrf=${csrf}"
 						title="<fmt:message key="global.click_delete" />"><img
 							src="images/delete-16x16.gif" width="16" height="16" border="0"
 							alt="<fmt:message key="global.click_delete" />"></a></td>
@@ -319,7 +334,7 @@
 %></td>

 					<td width="5%"><a
-						href="user-groups.jsp?username=<%=URLEncoder.encode(user.getUsername(), "UTF-8")%>&add=<%=groupName%>"
+						href="user-groups.jsp?username=<%=URLEncoder.encode(user.getUsername(), "UTF-8")%>&add=<%=groupName%>&csrf=${csrf}"
 						title="<fmt:message key="global.click_add" />"> <img
 							src="images/add-16x16.gif" width="16" height="16" border="0"
 							alt="<fmt:message key="global.click_add" />"></a></td>

--- a/src/web/user-message.jsp
+++ b/src/web/user-message.jsp
@@ -20,6 +20,7 @@

 <%@ page import="org.jivesoftware.util.ParamUtils,
                 org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                 org.jivesoftware.openfire.SessionManager,
                 org.jivesoftware.openfire.session.ClientSession,
                 org.jivesoftware.openfire.user.User,
@@ -71,6 +72,18 @@

    // Handle the request to send a message:
    Map<String,String> errors = new HashMap<String,String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (send) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            send = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
    if (send) {
        // Validate the message and jid
        if (jid == null && !sendToAll && user != null) {
@@ -169,6 +182,7 @@ function updateSelect(el) {
 </script>

 <form action="user-message.jsp" method="post" name="f">
+        <input type="hidden" name="csrf" value="${csrf}">
 <% if(username != null){ %>
 <input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
 <% } %>

--- a/src/web/user-roster-add.jsp
+++ b/src/web/user-roster-add.jsp
@@ -50,6 +50,18 @@
        response.sendRedirect("user-roster.jsp?username=" + URLEncoder.encode(username, "UTF-8"));
        return;
    }
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (add) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            add = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);

    // Handle a request to create a user:
    if (add) {
@@ -155,6 +167,7 @@
 <%  } %>

 <form name="f" action="user-roster-add.jsp" method="get">
+        <input type="hidden" name="csrf" value="${csrf}">

 <input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">


--- a/src/web/user-roster-delete.jsp
+++ b/src/web/user-roster-delete.jsp
@@ -42,6 +42,17 @@
    pageContext.setAttribute( "usernameUrlEncoded", usernameUrlEncoded);
    pageContext.setAttribute( "jid", jid);

+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            delete = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
    // Handle a cancel
    if (cancel) {
        response.sendRedirect("user-roster.jsp?username=" + usernameUrlEncoded);
@@ -79,6 +90,7 @@
    </p>

    <form action="user-roster-delete.jsp">
+        <input type="hidden" name="csrf" value="${csrf}">
    <input type="hidden" name="username" value="${usernameUrlEncoded}">
    <input type="hidden" name="jid" value="${jid}">
    <input type="submit" name="delete" value="<fmt:message key="user.roster.delete.delete" />">

--- a/src/web/user-roster-edit.jsp
+++ b/src/web/user-roster-edit.jsp
@@ -19,6 +19,7 @@

 <%@ page import="org.jivesoftware.util.ParamUtils,
                 org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                 java.net.URLEncoder"
    errorPage="error.jsp"
 %><%@ page import="org.xmpp.packet.JID"%>
@@ -54,6 +55,17 @@

    // Load the roster item from the user's roster.
    RosterItem item = roster.getRosterItem(new JID(jid));
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);

    // Handle a roster item delete:
    if (save) {
@@ -91,6 +103,7 @@
 </p>

 <form action="user-roster-edit.jsp">
+        <input type="hidden" name="csrf" value="${csrf}">

 <input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
 <input type="hidden" name="jid" value="<%= StringUtils.escapeForXML(jid) %>">

--- a/src/web/user-roster-view.jsp
+++ b/src/web/user-roster-view.jsp
@@ -19,6 +19,7 @@

 <%@ page import="org.jivesoftware.util.ParamUtils,
                 org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                 java.net.URLEncoder"
    errorPage="error.jsp"
 %><%@ page import="org.xmpp.packet.JID"%>
@@ -54,6 +55,17 @@
    // Load the roster item from the user's roster.
    RosterItem item = roster.getRosterItem(new JID(jid));

+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
    // Handle a roster item delete:
    if (save) {
        List<String> groupList = new ArrayList<String>();