Commit ce87ab79 authored by Dave Cridland's avatar Dave Cridland

OF-941 CVE-2015-7707 Add CSRF to user-edit-form

parent 20174b68
...@@ -19,6 +19,7 @@ ...@@ -19,6 +19,7 @@
<%@ page import="org.jivesoftware.util.ParamUtils, <%@ page import="org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.StringUtils, org.jivesoftware.util.StringUtils,
org.jivesoftware.util.CookieUtils,
org.jivesoftware.openfire.user.*, org.jivesoftware.openfire.user.*,
java.net.URLEncoder" java.net.URLEncoder"
errorPage="error.jsp" errorPage="error.jsp"
...@@ -42,6 +43,8 @@ ...@@ -42,6 +43,8 @@
String email = ParamUtils.getParameter(request,"email"); String email = ParamUtils.getParameter(request,"email");
boolean isAdmin = ParamUtils.getBooleanParameter(request,"isadmin"); boolean isAdmin = ParamUtils.getBooleanParameter(request,"isadmin");
Map<String, String> errors = new HashMap<String, String>(); Map<String, String> errors = new HashMap<String, String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
// Handle a cancel // Handle a cancel
if (request.getParameter("cancel") != null) { if (request.getParameter("cancel") != null) {
...@@ -49,6 +52,13 @@ ...@@ -49,6 +52,13 @@
return; return;
} }
if (save) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
save = false;
errors.put("csrf", "CSRF Failure");
}
}
// Load the user object // Load the user object
User user = webManager.getUserManager().getUser(username); User user = webManager.getUserManager().getUser(username);
...@@ -91,6 +101,9 @@ ...@@ -91,6 +101,9 @@
return; return;
} }
} }
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
%> %>
<html> <html>
...@@ -113,6 +126,8 @@ ...@@ -113,6 +126,8 @@
<fmt:message key="user.create.invalid_name" /> <fmt:message key="user.create.invalid_name" />
<% } else if (errors.get("email") != null) { %> <% } else if (errors.get("email") != null) { %>
<fmt:message key="user.create.invalid_email" /> <fmt:message key="user.create.invalid_email" />
<% } else if (errors.get("csrf") != null) { %>
CSRF Failure!
<% } %> <% } %>
</td> </td>
</tr> </tr>
...@@ -142,6 +157,7 @@ ...@@ -142,6 +157,7 @@
<form action="user-edit-form.jsp"> <form action="user-edit-form.jsp">
<input type="hidden" name="csrf" value="<%= StringUtils.escapeForXML(csrfParam) %>">
<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>"> <input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
<input type="hidden" name="save" value="true"> <input type="hidden" name="save" value="true">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment