OF-777 CVE-2015-6973 CSRF protection (part 3)

d17904be · Dave Cridland · d28e19d2 · d17904be · d17904be · d17904be
Commit d17904be authored Mar 23, 2016 by Dave Cridland
34 changed files
--- a/src/web/audit-policy.jsp
+++ b/src/web/audit-policy.jsp
@@ -200,7 +200,7 @@
 <!-- BEGIN 'Set Message Audit Policy' -->
 <form action="audit-policy.jsp" name="f">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="audit.policy.policytitle" />
 	</div>

--- a/src/web/available-plugins.jsp
+++ b/src/web/available-plugins.jsp
@@ -28,6 +28,9 @@
 <%@ page import="java.util.Comparator" %>
 <%@ page import="java.util.List" %>
 <%@ page import="org.jivesoftware.util.JiveGlobals"%>
+<%@ page import="org.jivesoftware.util.StringUtils"%>
+<%@ page import="org.jivesoftware.util.ParamUtils"%>
+<%@ page import="org.jivesoftware.util.CookieUtils"%>
 <%@ page import="java.util.Date"%>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
@@ -39,6 +42,17 @@
 <%
    boolean downloadRequested = request.getParameter("download") != null;
    String url = request.getParameter("url");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+    if (downloadRequested) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            downloadRequested = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
    UpdateManager updateManager = XMPPServer.getInstance().getUpdateManager();
    List<AvailablePlugin> plugins = updateManager.getNotInstalledPlugins();

--- a/src/web/chatroom-history-settings.jsp
+++ b/src/web/chatroom-history-settings.jsp
@@ -128,7 +128,7 @@
 </p>
 <form action="chatroom-history-settings.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
 <fieldset>
    <legend><fmt:message key="chatroom.history.settings.policy" /></legend>

--- a/src/web/compression-settings.jsp
+++ b/src/web/compression-settings.jsp
@@ -99,7 +99,7 @@
 <!-- BEGIN compression settings -->
 <form action="compression-settings.jsp">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
 	<div class="jive-contentBox" style="-moz-border-radius: 3px;">

--- a/src/web/connection-managers-settings.jsp
+++ b/src/web/connection-managers-settings.jsp
@@ -180,7 +180,7 @@
 <%  } %>
 <form action="connection-managers-settings.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
 <fieldset>
    <div>

--- a/src/web/connection-settings-advanced.jsp
+++ b/src/web/connection-settings-advanced.jsp
@@ -295,7 +295,7 @@
 </p>
 <form action="connection-settings-advanced.jsp?connectionType=${connectionType}&connectionMode=${connectionMode}" onsubmit="selectAllOptions('cipherSuitesEnabled')" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
    <input type="hidden" name="update" value="true" />
    <fmt:message key="connection.advanced.settings.tcp.boxtitle" var="tcpboxtitle"/>

--- a/src/web/connection-settings-external-components.jsp
+++ b/src/web/connection-settings-external-components.jsp
@@ -286,7 +286,7 @@
 </p>
 <form action="connection-settings-external-components.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
    <fmt:message key="component.settings.plaintext.boxtitle" var="plaintextboxtitle"/>
    <admin:contentBox title="${plaintextboxtitle}">
@@ -335,7 +335,7 @@
 <fmt:message key="component.settings.allowed" var="allowedTitle" />
 <admin:contentBox title="${allowedTitle}">
    <form action="connection-settings-external-components.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
        <table cellpadding="3" cellspacing="0" border="0" width="100%" >
            <tr valign="top">
                <td colspan="2">
@@ -409,7 +409,7 @@
    <br/>
    <form action="connection-settings-external-components.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
        <table cellpadding="3" cellspacing="1" border="0">
            <tr>
                <td nowrap width="1%">
@@ -473,7 +473,7 @@
    <br/>
    <form action="connection-settings-external-components.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
        <table cellpadding="3" cellspacing="1" border="0">
            <tr>
                <td nowrap width="1%">

--- a/src/web/connection-settings-socket-c2s.jsp
+++ b/src/web/connection-settings-socket-c2s.jsp
@@ -140,7 +140,7 @@
 </p>
 <form action="connection-settings-socket-c2s.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
    <fmt:message key="ssl.settings.client.plaintext.boxtitle" var="plaintextboxtitle"/>
    <admin:contentBox title="${plaintextboxtitle}">

--- a/src/web/connection-settings-socket-s2s.jsp
+++ b/src/web/connection-settings-socket-s2s.jsp
@@ -279,7 +279,7 @@
 </p>
 <form action="connection-settings-socket-s2s.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
    <fmt:message key="server2server.settings.boxtitle" var="boxtitle"/>
    <admin:contentBox title="${boxtitle}">
@@ -308,7 +308,7 @@
 <!-- BEGIN 'Idle Connection Settings' -->
 <form action="connection-settings-socket-s2s.jsp?closeSettings" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
    <fmt:message key="server2server.settings.close_settings" var="idleTitle"/>
    <admin:contentBox title="${idleTitle}">
        <table cellpadding="3" cellspacing="0" border="0">
@@ -348,7 +348,7 @@
 <fmt:message key="server2server.settings.allowed" var="allowedTitle"/>
 <admin:contentBox title="${allowedTitle}">
    <form action="connection-settings-socket-s2s.jsp" method="post">
-        <input type="hidden" name="csrf" value="csrf">
+        <input type="hidden" name="csrf" value="${csrf}">
        <table cellpadding="3" cellspacing="0" border="0">
            <tr valign="top">
                <td width="1%" nowrap>
@@ -377,7 +377,7 @@
    </form>
    <form action="connection-settings-socket-s2s.jsp" method="post">
-        <input type="hidden" name="csrf" value="csrf">
+        <input type="hidden" name="csrf" value="${csrf}">
        <table class="jive-table" cellpadding="0" cellspacing="0" border="0" width="100%">
            <tr>
                <th width="1%">&nbsp;</th>
@@ -469,7 +469,7 @@
    </table>
    <br>
    <form action="connection-settings-socket-s2s.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
        <table cellpadding="3" cellspacing="1" border="0" width="100%">
            <tr>
                <td nowrap width="1%">

--- a/src/web/file-transfer-proxy.jsp
+++ b/src/web/file-transfer-proxy.jsp
@@ -128,7 +128,7 @@ else { %>
 <!-- BEGIN 'Proxy Service' -->
 <form action="file-transfer-proxy.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="filetransferproxy.settings.enabled.legend"/>
 	</div>

--- a/src/web/group-create.jsp
+++ b/src/web/group-create.jsp
@@ -201,7 +201,7 @@
 </p>
 <form name="f" action="group-create.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
   <% if (groupName != null) { %>
    <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>" id="existingName">

--- a/src/web/group-delete.jsp
+++ b/src/web/group-delete.jsp
@@ -92,7 +92,7 @@
 </p>
 <form action="group-delete.jsp">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
 <input type="submit" name="delete" value="<fmt:message key="group.delete.delete" />">
 <input type="submit" name="cancel" value="<fmt:message key="global.cancel" />">

--- a/src/web/group-edit.jsp
+++ b/src/web/group-edit.jsp
@@ -341,7 +341,7 @@
 	<div class="jive-horizontalRule"></div>
 <form name="ff" action="group-edit.jsp">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>"/>
@@ -496,7 +496,7 @@
 		</p>
        <form action="group-edit.jsp" method="post" name="f">
-            <input type="hidden" name="csrf" value="csrf">
+            <input type="hidden" name="csrf" value="${csrf}">
        <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
        <input type="hidden" name="add" value="Add"/>
        <table cellpadding="3" cellspacing="1" border="0" style="margin: 0 0 8px 0;">
@@ -515,7 +515,7 @@
        <% } %>
        <form action="group-edit.jsp" method="post" name="main">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
        <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
        <table class="jive-table" cellpadding="3" cellspacing="0" border="0" width="435">
            <tr>

--- a/src/web/http-bind.jsp
+++ b/src/web/http-bind.jsp
@@ -157,7 +157,7 @@
 } %>
 <form action="http-bind.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
    <div class="jive-contentBox" style="-moz-border-radius: 3px;">
        <table cellpadding="3" cellspacing="0" border="0">

--- a/src/web/import-keystore-certificate.jsp
+++ b/src/web/import-keystore-certificate.jsp
@@ -121,7 +121,7 @@
 <!-- BEGIN 'Import Private Key and Certificate' -->
 <form action="import-keystore-certificate.jsp?connectionType=${connectionType}" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
    <c:set var="title"><fmt:message key="ssl.import.certificate.keystore.private-key.title"/></c:set>
    <admin:contentBox title="${title}">

--- a/src/web/manage-updates.jsp
+++ b/src/web/manage-updates.jsp
@@ -143,7 +143,7 @@ else if (updateSucess) { %>
 <!-- BEGIN manage updates settings -->
 <form action="manage-updates.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
 	<!--<div class="jive-contentBoxHeader">
 	</div>-->

--- a/src/web/media-proxy.jsp
+++ b/src/web/media-proxy.jsp
@@ -141,7 +141,7 @@
 <% } %>
 <form action="media-proxy.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
    <div class="jive-contentBoxHeader">
        <fmt:message key="mediaproxy.form.label"/>
    </div>
@@ -336,7 +336,7 @@
        </tbody>
    </table>
    <form action="">
-        <input type="hidden" name="csrf" value="csrf">
+        <input type="hidden" name="csrf" value="${csrf}">
        <input type="submit" name="stop" value="<fmt:message key="mediaproxy.summary.stopbutton" />"/>
    </form>
 </div>

--- a/src/web/muc-create-permission.jsp
+++ b/src/web/muc-create-permission.jsp
@@ -205,7 +205,7 @@
 <!-- BEGIN 'Permission Policy' -->
 <form action="muc-create-permission.jsp?save" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
    <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
    <div class="jive-contentBoxHeader">
 		<fmt:message key="muc.create.permission.policy" />
@@ -245,7 +245,7 @@
 <%  if (mucService.isRoomCreationRestricted()) { %>
 <!-- BEGIN 'Allowed Users' -->
 <form action="muc-create-permission.jsp?add" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
    <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
    <div class="jive-contentBoxHeader">
 		<fmt:message key="muc.create.permission.allowed_users" />

--- a/src/web/muc-default-settings.jsp
+++ b/src/web/muc-default-settings.jsp
@@ -194,7 +194,7 @@
 <!-- BEGIN 'Default Room Settings' -->
 <form action="muc-default-settings.jsp?save" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
    <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
    <div class="jive-contentBoxHeader">
        <fmt:message key="muc.default.settings.title" />

--- a/src/web/muc-history-settings.jsp
+++ b/src/web/muc-history-settings.jsp
@@ -147,7 +147,7 @@
 <!-- BEGIN 'History Settings' -->
 <form action="muc-history-settings.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
    <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
    <div class="jive-contentBoxHeader">
 		<fmt:message key="groupchat.history.settings.legend" />

--- a/src/web/muc-room-affiliations.jsp
+++ b/src/web/muc-room-affiliations.jsp
@@ -227,7 +227,7 @@
 <%  } %>
 <form action="muc-room-affiliations.jsp?add" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="roomJID" value="<%= roomJID.toBareJID() %>">
 <fieldset>

--- a/src/web/muc-room-delete.jsp
+++ b/src/web/muc-room-delete.jsp
@@ -104,7 +104,7 @@
 </p>
 <form action="muc-room-delete.jsp">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="roomJID" value="<%= StringUtils.escapeForXML(roomJID.toBareJID()) %>">
 <fieldset>

--- a/src/web/muc-room-edit-form.jsp
+++ b/src/web/muc-room-edit-form.jsp
@@ -458,7 +458,7 @@
 <% if (!create) { %>
    <input type="hidden" name="roomJID" value="<%= StringUtils.escapeForXML(roomJID.toBareJID()) %>">
 <% } %>
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="save" value="true">
 <input type="hidden" name="create" value="<%= create %>">
 <input type="hidden" name="roomconfig_persistentroom" value="<%= persistentRoom %>">

--- a/src/web/muc-service-delete.jsp
+++ b/src/web/muc-service-delete.jsp
@@ -89,6 +89,7 @@
 </p>
 <form action="muc-service-delete.jsp">
+    <input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>">
 <fieldset>

--- a/src/web/muc-service-edit-form.jsp
+++ b/src/web/muc-service-edit-form.jsp
@@ -165,7 +165,7 @@
 <!-- BEGIN 'Service Name'-->
 <form action="muc-service-edit-form.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
 <input type="hidden" name="save" value="true">
 <% if (!create) { %>
 <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>">

--- a/src/web/muc-sysadmins.jsp
+++ b/src/web/muc-sysadmins.jsp
@@ -176,7 +176,7 @@
 <!-- BEGIN 'Administrators' -->
 <form action="muc-sysadmins.jsp?add" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
    <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
    <div class="jive-contentBoxHeader">
 		<fmt:message key="groupchat.admins.legend" />

--- a/src/web/muc-tasks.jsp
+++ b/src/web/muc-tasks.jsp
@@ -200,7 +200,7 @@
 <!-- BEGIN 'Idle User Settings' -->
 <form action="muc-tasks.jsp?kickSettings" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
    <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
    <div class="jive-contentBoxHeader">
 		<fmt:message key="muc.tasks.user_setting" />
@@ -242,7 +242,7 @@
 <!-- BEGIN 'Conversation Logging' -->
 <form action="muc-tasks.jsp?logSettings" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
    <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
    <div class="jive-contentBoxHeader">
 		<fmt:message key="muc.tasks.conversation.logging" />

--- a/src/web/offline-messages.jsp
+++ b/src/web/offline-messages.jsp
@@ -211,7 +211,7 @@
 <!-- BEGIN 'Offline Message Policy' -->
 <form action="offline-messages.jsp">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="offline.messages.policy" />
 	</div>

--- a/src/web/plugin-admin.jsp
+++ b/src/web/plugin-admin.jsp
@@ -645,7 +645,7 @@ else if ("false".equals(request.getParameter("uploadsuccess"))) { %>
    <h3><fmt:message key="plugin.admin.upload_plugin" /></h3>
    <p><fmt:message key="plugin.admin.upload_plugin.info" /></p>
    <form action="plugin-admin.jsp?uploadplugin" enctype="multipart/form-data" method="post">
-        <input type="hidden" name="csrf" value="csrf">
+        <input type="hidden" name="csrf" value="${csrf}">
        <input type="file" name="uploadfile" />
        <input type="submit" value="<fmt:message key="plugin.admin.upload_plugin" />" />
    </form>

--- a/src/web/private-data-settings.jsp
+++ b/src/web/private-data-settings.jsp
@@ -83,7 +83,7 @@
 <!-- BEGIN 'Set Private Data Policy' -->
 <form action="private-data-settings.jsp">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="private.data.settings.policy" />
 	</div>

--- a/src/web/reg-settings.jsp
+++ b/src/web/reg-settings.jsp
@@ -151,7 +151,7 @@
 </p>
 <form action="reg-settings.jsp">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
 <% if (save) { %>

--- a/src/web/security-certificate-store-management.jsp
+++ b/src/web/security-certificate-store-management.jsp
@@ -145,7 +145,7 @@
    </c:set>
    <form action="security-certificate-store-management.jsp" method="post">
-        <input type="hidden" name="csrf" value="csrf">
+        <input type="hidden" name="csrf" value="${csrf}">
        <input type="hidden" name="connectionType" value="${connectionType}"/>
        <admin:contentBox title="${title}">

--- a/src/web/security-keystore-signing-request.jsp
+++ b/src/web/security-keystore-signing-request.jsp
@@ -173,7 +173,7 @@
 <!-- BEGIN 'Issuer information form' -->
 <form action="security-keystore-signing-request.jsp" method="post">
-    <input type="hidden" name="csrf" value="csrf">
+    <input type="hidden" name="csrf" value="${csrf}">
    <input type="hidden" name="save" value="true">
    <input type="hidden" name="connectionType" value="${connectionType}">
    <div class="jive-contentBoxHeader">

--- a/src/web/security-keystore.jsp
+++ b/src/web/security-keystore.jsp
@@ -330,7 +330,7 @@
                            <% if (isSigningPending) { %>
                            <form action="security-keystore.jsp?connectionType=${connectionType}" method="post">
-                                <input type="hidden" name="csrf" value="csrf">
+                                <input type="hidden" name="csrf" value="${csrf}">
                                <input type="hidden" name="importReply" value="true">
                                <input type="hidden" name="alias" value="${alias}">
                                <tr>