Commit ce87ab79 authored by Dave Cridland's avatar Dave Cridland

OF-941 CVE-2015-7707 Add CSRF to user-edit-form

parent 20174b68
......@@ -19,6 +19,7 @@
<%@ page import="org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.StringUtils,
org.jivesoftware.util.CookieUtils,
org.jivesoftware.openfire.user.*,
java.net.URLEncoder"
errorPage="error.jsp"
......@@ -42,6 +43,8 @@
String email = ParamUtils.getParameter(request,"email");
boolean isAdmin = ParamUtils.getBooleanParameter(request,"isadmin");
Map<String, String> errors = new HashMap<String, String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
// Handle a cancel
if (request.getParameter("cancel") != null) {
......@@ -49,6 +52,13 @@
return;
}
if (save) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
save = false;
errors.put("csrf", "CSRF Failure");
}
}
// Load the user object
User user = webManager.getUserManager().getUser(username);
......@@ -91,6 +101,9 @@
return;
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
%>
<html>
......@@ -113,6 +126,8 @@
<fmt:message key="user.create.invalid_name" />
<% } else if (errors.get("email") != null) { %>
<fmt:message key="user.create.invalid_email" />
<% } else if (errors.get("csrf") != null) { %>
CSRF Failure!
<% } %>
</td>
</tr>
......@@ -142,6 +157,7 @@
<form action="user-edit-form.jsp">
<input type="hidden" name="csrf" value="<%= StringUtils.escapeForXML(csrfParam) %>">
<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
<input type="hidden" name="save" value="true">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment