Skip to content

O
Openfire
Commit d28e19d2 authored by Dave Cridland's avatar Dave Cridland
Browse files
Options

OF-777 CVE-2015-6973 CSRF protection (part 2)

parent 3a6976f0
Hide whitespace changes
Inline Side-by-side
Showing with 581 additions and 48 deletions
src/web/audit-policy.jsp
View file @ d28e19d2
......@@ -17,6 +17,7 @@
--%>
<%@ page import="org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.CookieUtils,
org.jivesoftware.openfire.XMPPServer,
org.jivesoftware.openfire.audit.AuditManager,
org.jivesoftware.openfire.user.UserNotFoundException,
......@@ -60,6 +61,18 @@
AuditManager auditManager = XMPPServer.getInstance().getAuditManager();
Map<String,String> errors = new HashMap<String,String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (update) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
update = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if (update) {
auditManager.setEnabled(auditEnabled);
auditManager.setAuditMessage(auditMessages);
......@@ -187,6 +200,7 @@
<!-- BEGIN 'Set Message Audit Policy' -->
<form action="audit-policy.jsp" name="f">
<input type="hidden" name="csrf" value="csrf">
<div class="jive-contentBoxHeader">
<fmt:message key="audit.policy.policytitle" />
</div>
......
src/web/chatroom-history-settings.jsp
View file @ d28e19d2
......@@ -57,6 +57,18 @@
HistoryStrategy historyStrat = muc.getHistoryStrategy();
Map<String, String> errors = new HashMap<String, String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (update) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
update = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if (update) {
if (policy != ALL && policy != NONE && policy != NUMBER) {
errors.put("general", "Please choose a valid chat history policy.");
......@@ -116,6 +128,7 @@
</p>
<form action="chatroom-history-settings.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<fieldset>
<legend><fmt:message key="chatroom.history.settings.policy" /></legend>
......
src/web/compression-settings.jsp
View file @ d28e19d2
......@@ -24,6 +24,8 @@
<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
<%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.CookieUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
......@@ -43,6 +45,17 @@
boolean serverEnabled = ParamUtils.getBooleanParameter(request, "serverEnabled");
final ConnectionManagerImpl connectionManager = (ConnectionManagerImpl) XMPPServer.getInstance().getConnectionManager();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (update) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
update = false;
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if (update) {
// Update c2s compression policy
......@@ -86,6 +99,7 @@
<!-- BEGIN compression settings -->
<form action="compression-settings.jsp">
<input type="hidden" name="csrf" value="csrf">
<div class="jive-contentBox" style="-moz-border-radius: 3px;">
......
src/web/connection-managers-settings.jsp
View file @ d28e19d2
......@@ -27,6 +27,7 @@
org.jivesoftware.openfire.multiplex.ConnectionMultiplexerManager,
org.jivesoftware.openfire.session.ConnectionMultiplexerSession,
org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.CookieUtils,
org.jivesoftware.util.StringUtils"
errorPage="error.jsp"
%>
......@@ -58,6 +59,18 @@
// Update the session kick policy if requested
Map<String, String> errors = new HashMap<String, String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (update) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
update = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if (update) {
// Validate params
if (managerEnabled) {
......@@ -167,6 +180,7 @@
<% } %>
<form action="connection-managers-settings.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<fieldset>
<div>
......
src/web/connection-settings-advanced.jsp
View file @ d28e19d2
<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.CookieUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="org.jivesoftware.openfire.Connection" %>
<%@ page import="org.jivesoftware.openfire.spi.*" %>
<%@ page import="java.util.*" %>
......@@ -12,9 +14,21 @@
<jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager" />
<% webManager.init(request, response, session, application, out ); %>
<%
final boolean update = request.getParameter( "update" ) != null;
boolean update = request.getParameter( "update" ) != null;
final Map<String, String> errors = new HashMap<>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (update) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
update = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
pageContext.setAttribute( "errors", errors );
ConnectionType connectionType = null;
......@@ -281,6 +295,7 @@
</p>
<form action="connection-settings-advanced.jsp?connectionType=${connectionType}&connectionMode=${connectionMode}" onsubmit="selectAllOptions('cipherSuitesEnabled')" method="post">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="update" value="true" />
<fmt:message key="connection.advanced.settings.tcp.boxtitle" var="tcpboxtitle"/>
......
src/web/connection-settings-external-components.jsp
View file @ d28e19d2
......@@ -8,6 +8,8 @@
<%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
<%@ page import="org.jivesoftware.util.ModificationNotAllowedException" %>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.CookieUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="org.xmpp.packet.JID" %>
<%@ page import="gnu.inet.encoding.StringprepException" %>
<%@ page import="java.util.HashMap" %>
......@@ -28,8 +30,29 @@
final ConnectionConfiguration legacymodeConfiguration = manager.getListener( connectionType, true ).generateConnectionConfiguration();
final Map<String, String> errors = new HashMap<>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
boolean update = request.getParameter( "update" ) != null;
boolean permissionUpdate = request.getParameter( "permissionUpdate" ) != null;
String configToDelete = ParamUtils.getParameter( request, "deleteConf" );
boolean componentAllowed = request.getParameter( "componentAllowed" ) != null;
boolean componentBlocked = request.getParameter( "componentBlocked" ) != null;
if (update || permissionUpdate || configToDelete != null || componentAllowed || componentBlocked) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
update = false;
permissionUpdate = false;
configToDelete = null;
componentAllowed = false;
componentBlocked = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
final boolean update = request.getParameter( "update" ) != null;
if ( update && errors.isEmpty() )
{
......@@ -57,7 +80,6 @@
}
// Process Permission update configuration change.
final boolean permissionUpdate = request.getParameter( "permissionUpdate" ) != null;
if ( permissionUpdate && errors.isEmpty() )
{
......@@ -87,7 +109,6 @@
}
// Process removal of a blacklist or whitelist item.
final String configToDelete = ParamUtils.getParameter( request, "deleteConf" );
if ( configToDelete != null && !configToDelete.trim().isEmpty() && errors.isEmpty() )
{
......@@ -107,7 +128,6 @@
}
// Process addition to whitelist.
final boolean componentAllowed = request.getParameter( "componentAllowed" ) != null;
String subdomain = ParamUtils.getParameter( request, "subdomain" ); // shared with blacklist.
if ( subdomain != null )
{
......@@ -155,7 +175,6 @@
}
// Process addition to blacklist.
final boolean componentBlocked = request.getParameter( "componentBlocked" ) != null;
if ( componentBlocked && errors.isEmpty() )
{
......@@ -267,6 +286,7 @@
</p>
<form action="connection-settings-external-components.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<fmt:message key="component.settings.plaintext.boxtitle" var="plaintextboxtitle"/>
<admin:contentBox title="${plaintextboxtitle}">
......@@ -315,6 +335,7 @@
<fmt:message key="component.settings.allowed" var="allowedTitle" />
<admin:contentBox title="${allowedTitle}">
<form action="connection-settings-external-components.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<table cellpadding="3" cellspacing="0" border="0" width="100%" >
<tr valign="top">
<td colspan="2">
......@@ -372,7 +393,10 @@
<td><c:out value="${component.subdomain}"/></td>
<td><c:out value="${component.secret}"/></td>
<td align="center" style="border-right:1px #ccc solid;">
<c:url var="deleteurl" value="connection-settings-external-components.jsp"><c:param name="deleteConf" value="${component.subdomain}"/></c:url>
<c:url var="deleteurl" value="connection-settings-external-components.jsp">
<c:param name="deleteConf" value="${component.subdomain}"/>
<c:param name="csrf" value="${csrf}"/>
</c:url>
<a href="#" onclick="if (confirm('<fmt:message key="component.settings.confirm_delete" />')) { location.replace('${deleteurl}'); } "
title="<fmt:message key="global.click_delete" />"><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
</td>
......@@ -385,6 +409,7 @@
<br/>
<form action="connection-settings-external-components.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<table cellpadding="3" cellspacing="1" border="0">
<tr>
<td nowrap width="1%">
......@@ -432,7 +457,10 @@
<td>${ status.index + 1}</td>
<td><c:out value="${component.subdomain}"/></td>
<td align="center" style="border-right:1px #ccc solid;">
<c:url var="deleteurl" value="connection-settings-external-components.jsp"><c:param name="deleteConf" value="${component.subdomain}"/></c:url>
<c:url var="deleteurl" value="connection-settings-external-components.jsp">
<c:param name="deleteConf" value="${component.subdomain}"/>
<c:param name="csrf" value="${csrf}"/>
</c:url>
<a href="#" onclick="if (confirm('<fmt:message key="component.settings.confirm_delete" />')) { location.replace('${deleteurl}'); } "
title="<fmt:message key="global.click_delete" />"><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
</td>
......@@ -445,6 +473,7 @@
<br/>
<form action="connection-settings-external-components.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<table cellpadding="3" cellspacing="1" border="0">
<tr>
<td nowrap width="1%">
......
src/web/connection-settings-socket-c2s.jsp
View file @ d28e19d2
......@@ -4,6 +4,8 @@
<%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
<%@ page import="org.jivesoftware.openfire.spi.ConnectionListener" %>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.CookieUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="org.jivesoftware.util.JiveGlobals" %>
<%@ page import="org.jivesoftware.openfire.session.ConnectionSettings" %>
<%@ page import="java.util.HashMap" %>
......@@ -22,8 +24,20 @@
final ConnectionConfiguration plaintextConfiguration = manager.getListener( connectionType, false ).generateConnectionConfiguration();
final ConnectionConfiguration legacymodeConfiguration = manager.getListener( connectionType, true ).generateConnectionConfiguration();
final boolean update = request.getParameter( "update" ) != null;
boolean update = request.getParameter( "update" ) != null;
final Map<String, String> errors = new HashMap<>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (update) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
update = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if ( update && errors.isEmpty() )
{
......@@ -126,6 +140,7 @@
</p>
<form action="connection-settings-socket-c2s.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<fmt:message key="ssl.settings.client.plaintext.boxtitle" var="plaintextboxtitle"/>
<admin:contentBox title="${plaintextboxtitle}">
......
src/web/connection-settings-socket-s2s.jsp
View file @ d28e19d2
......@@ -4,6 +4,7 @@
<%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
<%@ page import="org.jivesoftware.openfire.spi.ConnectionListener" %>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.CookieUtils" %>
<%@ page import="java.util.HashMap" %>
<%@ page import="java.util.Map" %>
<%@ page import="org.jivesoftware.openfire.server.RemoteServerManager" %>
......@@ -22,13 +23,29 @@
final ConnectionConfiguration plaintextConfiguration = manager.getListener( connectionType, false ).generateConnectionConfiguration();
final boolean update = request.getParameter( "update" ) != null;
final boolean closeSettings = request.getParameter( "closeSettings" ) != null;
final boolean serverAllowed = request.getParameter( "serverAllowed" ) != null;
final boolean serverBlocked = request.getParameter( "serverBlocked" ) != null;
final String configToDelete = ParamUtils.getParameter( request, "deleteConf" );
boolean update = request.getParameter( "update" ) != null;
boolean closeSettings = request.getParameter( "closeSettings" ) != null;
boolean serverAllowed = request.getParameter( "serverAllowed" ) != null;
boolean serverBlocked = request.getParameter( "serverBlocked" ) != null;
String configToDelete = ParamUtils.getParameter( request, "deleteConf" );
final Map<String, String> errors = new HashMap<>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (update || closeSettings || serverAllowed || serverBlocked || configToDelete != null) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
update = false;
closeSettings = false;
serverAllowed = false;
serverBlocked = false;
configToDelete = null;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if ( update && errors.isEmpty() )
{
......@@ -262,6 +279,7 @@
</p>
<form action="connection-settings-socket-s2s.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<fmt:message key="server2server.settings.boxtitle" var="boxtitle"/>
<admin:contentBox title="${boxtitle}">
......@@ -290,6 +308,7 @@
<!-- BEGIN 'Idle Connection Settings' -->
<form action="connection-settings-socket-s2s.jsp?closeSettings" method="post">
<input type="hidden" name="csrf" value="csrf">
<fmt:message key="server2server.settings.close_settings" var="idleTitle"/>
<admin:contentBox title="${idleTitle}">
<table cellpadding="3" cellspacing="0" border="0">
......@@ -329,6 +348,7 @@
<fmt:message key="server2server.settings.allowed" var="allowedTitle"/>
<admin:contentBox title="${allowedTitle}">
<form action="connection-settings-socket-s2s.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<table cellpadding="3" cellspacing="0" border="0">
<tr valign="top">
<td width="1%" nowrap>
......@@ -357,6 +377,7 @@
</form>
<form action="connection-settings-socket-s2s.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<table class="jive-table" cellpadding="0" cellspacing="0" border="0" width="100%">
<tr>
<th width="1%">&nbsp;</th>
......@@ -377,7 +398,11 @@
<td><c:out value="${server.domain}"/></td>
<td><c:out value="${server.remotePort}"/></td>
<td align="center" style="border-right:1px #ccc solid;">
<a href="#" onclick="if (confirm('<fmt:message key="server2server.settings.confirm_delete" />')) { location.replace('connection-settings-socket-s2s.jsp?deleteConf=${server.domain}'); } "
<c:url var="deleteurl" value="connection-settings-socket-s2s.jsp">
<c:param name="deleteConf" value="${server.domain}"/>
<c:param name="csrf" value="${csrf}"/>
</c:url>
<a href="#" onclick="if (confirm('<fmt:message key="server2server.settings.confirm_delete" />')) { location.replace('${deleteurl}'); } "
title="<fmt:message key="global.click_delete" />"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
</td>
......@@ -429,7 +454,11 @@
<td>${ status.index + 1}</td>
<td><c:out value="${server.domain}"/></td>
<td align="center" style="border-right:1px #ccc solid;">
<a href="#" onclick="if (confirm('<fmt:message key="server2server.settings.confirm_delete" />')) { location.replace('connection-settings-socket-s2s.jsp?deleteConf=${server.domain}'); } "
<c:url var="deleteurl" value="connection-settings-socket-s2s.jsp">
<c:param name="deleteConf" value="${server.domain}"/>
<c:param name="csrf" value="${csrf}"/>
</c:url>
<a href="#" onclick="if (confirm('<fmt:message key="server2server.settings.confirm_delete" />')) { location.replace('${deleteurl}'); } "
title="<fmt:message key="global.click_delete" />"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
</td>
......@@ -440,6 +469,7 @@
</table>
<br>
<form action="connection-settings-socket-s2s.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<table cellpadding="3" cellspacing="1" border="0" width="100%">
<tr>
<td nowrap width="1%">
......
src/web/file-transfer-proxy.jsp
View file @ d28e19d2
......@@ -17,6 +17,8 @@
- limitations under the License.
--%>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.CookieUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="org.jivesoftware.openfire.filetransfer.proxy.FileTransferProxy" %>
<%@ page import="java.util.HashMap" %>
<%@ page import="java.util.Map" %>
......@@ -35,6 +37,18 @@
boolean isUpdated = request.getParameter("update") != null;
boolean isProxyEnabled = ParamUtils.getBooleanParameter(request, "proxyEnabled");
int port = ParamUtils.getIntParameter(request, "port", 0);
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (isUpdated) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
isUpdated = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if (isUpdated) {
if (isProxyEnabled) {
......@@ -114,6 +128,7 @@ else { %>
<!-- BEGIN 'Proxy Service' -->
<form action="file-transfer-proxy.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<div class="jive-contentBoxHeader">
<fmt:message key="filetransferproxy.settings.enabled.legend"/>
</div>
......
src/web/group-create.jsp
View file @ d28e19d2
......@@ -25,6 +25,7 @@
errorPage="error.jsp"
%>
<%@ page import="org.jivesoftware.util.ParamUtils"%>
<%@ page import="org.jivesoftware.util.CookieUtils"%>
<%@ page import="java.net.URLEncoder"%>
<%@ page import="java.util.HashMap"%>
<%@ page import="java.util.Map" %>
......@@ -45,6 +46,19 @@
String description = ParamUtils.getParameter(request, "description", true);
Map<String, String> errors = new HashMap<String, String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (create || edit) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
create = false;
edit = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
// Handle a cancel
if (cancel) {
......@@ -187,6 +201,7 @@
</p>
<form name="f" action="group-create.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<% if (groupName != null) { %>
<input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>" id="existingName">
......
src/web/group-delete.jsp
View file @ d28e19d2
......@@ -35,6 +35,17 @@
boolean cancel = request.getParameter("cancel") != null;
boolean delete = request.getParameter("delete") != null;
String groupName = ParamUtils.getParameter(request,"group");
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (delete) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
delete = false;
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
// Handle a cancel
if (cancel) {
......@@ -81,6 +92,7 @@
</p>
<form action="group-delete.jsp">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
<input type="submit" name="delete" value="<fmt:message key="group.delete.delete" />">
<input type="submit" name="cancel" value="<fmt:message key="global.cancel" />">
......
src/web/group-edit.jsp
View file @ d28e19d2
......@@ -30,6 +30,7 @@
<%@ page import="org.jivesoftware.util.Log"%>
<%@ page import="org.jivesoftware.util.ParamUtils"%>
<%@ page import="org.jivesoftware.util.StringUtils"%>
<%@ page import="org.jivesoftware.util.CookieUtils"%>
<%@ page import="org.xmpp.packet.JID"%>
<%@ page import="org.xmpp.packet.Presence"%>
<%@ page import="java.io.UnsupportedEncodingException"%>
......@@ -71,6 +72,21 @@
Group group = groupManager.getGroup(groupName);
boolean success;
StringBuffer errorBuf = new StringBuffer();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (add || delete || updateMember || update) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
add = false;
delete = false;
update = false;
updateMember = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if (cancel) {
response.sendRedirect("group-summary.jsp");
......@@ -325,6 +341,8 @@
<div class="jive-horizontalRule"></div>
<form name="ff" action="group-edit.jsp">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>"/>
......@@ -478,6 +496,7 @@
</p>
<form action="group-edit.jsp" method="post" name="f">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
<input type="hidden" name="add" value="Add"/>
<table cellpadding="3" cellspacing="1" border="0" style="margin: 0 0 8px 0;">
......@@ -496,6 +515,7 @@
<% } %>
<form action="group-edit.jsp" method="post" name="main">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
<table class="jive-table" cellpadding="3" cellspacing="0" border="0" width="435">
<tr>
......
src/web/http-bind.jsp
View file @ d28e19d2
......@@ -22,7 +22,7 @@
<%@ page import="java.util.Map" %>
<%@ page import="java.util.HashMap" %>
<%@ page import="org.jivesoftware.util.Log" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="org.jivesoftware.util.CookieUtils" %>
<%@ page import="org.jivesoftware.openfire.http.FlashCrossDomainServlet" %>
<%@ page import="org.jivesoftware.openfire.http.HttpBindManager" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
......@@ -83,12 +83,21 @@
<%
Map<String, String> errorMap = new HashMap<String, String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (request.getParameter("update") != null) {
errorMap = handleUpdate(request);
// Log the event
webManager.logEvent("updated HTTP bind settings", null);
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
errorMap.put("csrf", "CSRF Failure!");
} else {
errorMap = handleUpdate(request);
// Log the event
webManager.logEvent("updated HTTP bind settings", null);
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
boolean isHttpBindEnabled = serverManager.isHttpBindEnabled();
int port = serverManager.getHttpBindUnsecurePort();
int securePort = serverManager.getHttpBindSecurePort();
......@@ -148,6 +157,7 @@
} %>
<form action="http-bind.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<div class="jive-contentBox" style="-moz-border-radius: 3px;">
<table cellpadding="3" cellspacing="0" border="0">
......
src/web/import-keystore-certificate.jsp
View file @ d28e19d2
......@@ -3,6 +3,8 @@
<%@ page import="org.jivesoftware.openfire.keystore.IdentityStore" %>
<%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="org.jivesoftware.util.CookieUtils" %>
<%@ page import="java.util.HashMap" %>
<%@ page import="java.util.Map" %>
......@@ -14,7 +16,7 @@
<% webManager.init(request, response, session, application, out ); %>
<% // Get parameters:
final boolean save = ParamUtils.getParameter(request, "save") != null;
boolean save = ParamUtils.getParameter(request, "save") != null;
final String privateKey = ParamUtils.getParameter(request, "privateKey");
final String passPhrase = ParamUtils.getParameter(request, "passPhrase");
final String certificate = ParamUtils.getParameter(request, "certificate");
......@@ -30,6 +32,18 @@
errors.put( "connectionType", ex.getMessage() );
connectionType = null;
}
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (save) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
save = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if (save) {
if (privateKey == null || privateKey.trim().isEmpty() ) {
......@@ -107,6 +121,7 @@
<!-- BEGIN 'Import Private Key and Certificate' -->
<form action="import-keystore-certificate.jsp?connectionType=${connectionType}" method="post">
<input type="hidden" name="csrf" value="csrf">
<c:set var="title"><fmt:message key="ssl.import.certificate.keystore.private-key.title"/></c:set>
<admin:contentBox title="${title}">
......
src/web/import-truststore-certificate.jsp
View file @ d28e19d2
......@@ -2,6 +2,8 @@
<%@ page import="org.jivesoftware.openfire.keystore.TrustStore"%>
<%@ page import="org.jivesoftware.openfire.spi.ConnectionType"%>
<%@ page import="org.jivesoftware.util.ParamUtils"%>
<%@ page import="org.jivesoftware.util.CookieUtils"%>
<%@ page import="org.jivesoftware.util.StringUtils"%>
<%@ page import="java.util.HashMap" %>
<%@ page import="java.util.Map" %>
<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
......@@ -14,12 +16,24 @@
<jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager"/>
<% webManager.init(request, response, session, application, out ); %>
<% final boolean save = ParamUtils.getParameter(request, "save") != null;
<% boolean save = ParamUtils.getParameter(request, "save") != null;
final String alias = ParamUtils.getParameter(request, "alias");
final String certificate = ParamUtils.getParameter(request, "certificate");
final String storePurposeText = ParamUtils.getParameter(request, "connectionType");
final Map<String, String> errors = new HashMap<String, String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (save) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
save = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
ConnectionType connectionType;
try
......
src/web/manage-updates.jsp
View file @ d28e19d2
......@@ -24,6 +24,7 @@
<%@ page import="org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.StringUtils,
org.jivesoftware.util.CookieUtils,
org.jivesoftware.openfire.XMPPServer,
org.jivesoftware.openfire.update.UpdateManager,
java.util.HashMap,
......@@ -54,6 +55,18 @@
// Update the session kick policy if requested
Map<String, String> errors = new HashMap<String, String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (update) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
update = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if (update) {
// Validate params
......@@ -130,6 +143,7 @@ else if (updateSucess) { %>
<!-- BEGIN manage updates settings -->
<form action="manage-updates.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<!--<div class="jive-contentBoxHeader">
</div>-->
......
src/web/media-proxy.jsp
View file @ d28e19d2
......@@ -20,6 +20,7 @@
<%@ page import="org.jivesoftware.util.JiveGlobals" %>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.CookieUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
<%@ page import="org.jivesoftware.openfire.mediaproxy.MediaProxyService" %>
......@@ -37,10 +38,6 @@
MediaProxyService mediaProxyService = XMPPServer.getInstance().getMediaProxyService();
boolean stop = request.getParameter("stop") != null;
if (stop) {
mediaProxyService.stopAgents();
}
boolean save = request.getParameter("update") != null;
boolean success = false;
......@@ -50,6 +47,22 @@
int maxPort = mediaProxyService.getMaxPort();
int echoPort = mediaProxyService.getEchoPort();
boolean enabled = mediaProxyService.isEnabled();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (save || stop) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
save = false;
stop = false;
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if (stop) {
mediaProxyService.stopAgents();
}
if (save) {
keepAliveDelay = ParamUtils.getLongParameter(request, "idleTimeout", keepAliveDelay);
......@@ -128,6 +141,7 @@
<% } %>
<form action="media-proxy.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<div class="jive-contentBoxHeader">
<fmt:message key="mediaproxy.form.label"/>
</div>
......@@ -322,6 +336,7 @@
</tbody>
</table>
<form action="">
<input type="hidden" name="csrf" value="csrf">
<input type="submit" name="stop" value="<fmt:message key="mediaproxy.summary.stopbutton" />"/>
</form>
</div>
......
src/web/muc-create-permission.jsp
View file @ d28e19d2
......@@ -52,6 +52,19 @@
return;
}
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (save || add || delete) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
save = false;
add = false;
delete = false;
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
// Get muc server
MultiUserChatService mucService = webManager.getMultiUserChatManager().getMultiUserChatService(mucname);
......@@ -192,6 +205,7 @@
<!-- BEGIN 'Permission Policy' -->
<form action="muc-create-permission.jsp?save" method="post">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
<div class="jive-contentBoxHeader">
<fmt:message key="muc.create.permission.policy" />
......@@ -231,6 +245,7 @@
<% if (mucService.isRoomCreationRestricted()) { %>
<!-- BEGIN 'Allowed Users' -->
<form action="muc-create-permission.jsp?add" method="post">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
<div class="jive-contentBoxHeader">
<fmt:message key="muc.create.permission.allowed_users" />
......@@ -288,7 +303,7 @@
<%= jidDisplay %></a>
</td>
<td width="1%" align="center">
<a href="muc-create-permission.jsp?userJID=<%= jid.toString() %>&delete=true&mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"
<a href="muc-create-permission.jsp?userJID=<%= jid.toString() %>&delete=true&csrf=${csrf}&mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"
title="<fmt:message key="muc.create.permission.click_title" />"
onclick="return confirm('<fmt:message key="muc.create.permission.confirm_remove" />');"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
......
src/web/muc-default-settings.jsp
View file @ d28e19d2
......@@ -56,6 +56,18 @@
// Handle a save
Map<String,String> errors = new HashMap<String,String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (save) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
save = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if (save) {
try {
int max = Integer.parseInt(maxUsers);
......@@ -182,6 +194,7 @@
<!-- BEGIN 'Default Room Settings' -->
<form action="muc-default-settings.jsp?save" method="post">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
<div class="jive-contentBoxHeader">
<fmt:message key="muc.default.settings.title" />
......
src/web/muc-history-settings.jsp
View file @ d28e19d2
......@@ -58,6 +58,18 @@
HistoryStrategy historyStrat = mucService.getHistoryStrategy();
Map<String,String> errors = new HashMap<String,String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (update) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
update = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if (update) {
if (policy != ALL && policy != NONE && policy != NUMBER) {
errors.put("general", "Please choose a valid chat history policy.");
......@@ -135,6 +147,7 @@
<!-- BEGIN 'History Settings' -->
<form action="muc-history-settings.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
<div class="jive-contentBoxHeader">
<fmt:message key="groupchat.history.settings.legend" />
......
src/web/muc-room-affiliations.jsp
View file @ d28e19d2
......@@ -26,6 +26,7 @@
org.jivesoftware.openfire.group.GroupJID,
org.jivesoftware.openfire.group.GroupManager,
org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.CookieUtils,
org.jivesoftware.util.StringUtils,
org.xmpp.packet.IQ"
errorPage="error.jsp"
......@@ -66,6 +67,18 @@
}
Map<String,String> errors = new HashMap<String,String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (add) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
add = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
// Handle an add
if (add) {
// do validation
......@@ -214,6 +227,7 @@
<% } %>
<form action="muc-room-affiliations.jsp?add" method="post">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="roomJID" value="<%= roomJID.toBareJID() %>">
<fieldset>
......@@ -282,7 +296,7 @@
<%= StringUtils.escapeHTMLTags(userDisplay) %></a>
</td>
<td width="1%" align="center">
<a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=owner"
<a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=owner&csrf=${csrf}"
title="<fmt:message key="global.click_delete" />"
onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
......@@ -321,7 +335,7 @@
<%= StringUtils.escapeHTMLTags(userDisplay) %></a>
</td>
<td width="1%" align="center">
<a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=admin"
<a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=admin&csrf=${csrf}"
title="<fmt:message key="global.click_delete" />"
onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
......@@ -362,7 +376,7 @@
<%= StringUtils.escapeHTMLTags(userDisplay) %></a><%= StringUtils.escapeHTMLTags(nickname) %>
</td>
<td width="1%" align="center">
<a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=member"
<a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=member&csrf=${csrf}"
title="<fmt:message key="global.click_delete" />"
onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
......@@ -401,7 +415,7 @@
<%= StringUtils.escapeHTMLTags(userDisplay) %></a>
</td>
<td width="1%" align="center">
<a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=outcast"
<a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=outcast&csrf=${csrf}"
title="<fmt:message key="global.click_delete" />"
onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
......
src/web/muc-room-delete.jsp
View file @ d28e19d2
......@@ -33,6 +33,17 @@
<% // Get parameters //
boolean cancel = request.getParameter("cancel") != null;
boolean delete = request.getParameter("delete") != null;
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (delete) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
delete = false;
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
JID roomJID = new JID(ParamUtils.getParameter(request,"roomJID"));
String alternateJIDString = ParamUtils.getParameter(request,"alternateJID");
......@@ -93,6 +104,7 @@
</p>
<form action="muc-room-delete.jsp">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="roomJID" value="<%= StringUtils.escapeForXML(roomJID.toBareJID()) %>">
<fieldset>
......
src/web/muc-room-edit-form.jsp
View file @ d28e19d2
......@@ -19,6 +19,7 @@
<%@ page import="org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.StringUtils,
org.jivesoftware.util.CookieUtils,
java.text.DateFormat,
java.util.*,
org.jivesoftware.openfire.muc.MUCRoom,
......@@ -105,6 +106,18 @@
// Handle an save
Map<String, String> errors = new HashMap<String, String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (save) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
save = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if (save) {
// do validation
......@@ -445,6 +458,7 @@
<% if (!create) { %>
<input type="hidden" name="roomJID" value="<%= StringUtils.escapeForXML(roomJID.toBareJID()) %>">
<% } %>
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="save" value="true">
<input type="hidden" name="create" value="<%= create %>">
<input type="hidden" name="roomconfig_persistentroom" value="<%= persistentRoom %>">
......
src/web/muc-room-occupants.jsp
View file @ d28e19d2
......@@ -21,6 +21,7 @@
org.jivesoftware.openfire.muc.MUCRoom,
org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.StringUtils,
org.jivesoftware.util.CookieUtils,
java.net.URLEncoder,
java.text.DateFormat"
errorPage="error.jsp"
......@@ -39,6 +40,17 @@
String nickName = ParamUtils.getParameter(request,"nickName");
String kick = ParamUtils.getParameter(request,"kick");
String roomName = roomJID.getNode();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (kick != null) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
kick = null;
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
// Load the room object
MUCRoom room = webManager.getMultiUserChatManager().getMultiUserChatService(roomJID).getChatRoom(roomName);
......@@ -162,7 +174,7 @@
<td><%= StringUtils.escapeHTMLTags(role.getNickname().toString()) %></td>
<td><%= StringUtils.escapeHTMLTags(role.getRole().toString()) %></td>
<td><%= StringUtils.escapeHTMLTags(role.getAffiliation().toString()) %></td>
<td><a href="muc-room-occupants.jsp?roomJID=<%= URLEncoder.encode(room.getJID().toBareJID(), "UTF-8") %>&nickName=<%= URLEncoder.encode(role.getNickname(), "UTF-8") %>&kick=1" title="<fmt:message key="muc.room.occupants.kick"/>"><img src="images/delete-16x16.gif" alt="<fmt:message key="muc.room.occupants.kick"/>" border="0" width="16" height="16"/></a></td>
<td><a href="muc-room-occupants.jsp?roomJID=<%= URLEncoder.encode(room.getJID().toBareJID(), "UTF-8") %>&nickName=<%= URLEncoder.encode(role.getNickname(), "UTF-8") %>&kick=1&csrf=${csrf}" title="<fmt:message key="muc.room.occupants.kick"/>"><img src="images/delete-16x16.gif" alt="<fmt:message key="muc.room.occupants.kick"/>" border="0" width="16" height="16"/></a></td>
</tr>
<% } %>
</tbody>
......
src/web/muc-service-delete.jsp
View file @ d28e19d2
......@@ -34,6 +34,17 @@
boolean delete = request.getParameter("delete") != null;
String mucname = ParamUtils.getParameter(request,"mucname");
String reason = ParamUtils.getParameter(request,"reason");
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (delete) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
delete = false;
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
// Handle a cancel
if (cancel) {
......
src/web/muc-service-edit-form.jsp
View file @ d28e19d2
......@@ -19,6 +19,7 @@
<%@ page import="org.jivesoftware.util.StringUtils,
org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.CookieUtils,
org.jivesoftware.util.AlreadyExistsException,
java.util.*"
errorPage="error.jsp"
......@@ -46,6 +47,17 @@
boolean success = request.getParameter("success") != null;
String mucname = ParamUtils.getParameter(request,"mucname");
String mucdesc = ParamUtils.getParameter(request,"mucdesc");
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (save) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
save = false;
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
// Load the service object
if (!create && !webManager.getMultiUserChatManager().isServiceRegistered(mucname)) {
......@@ -153,6 +165,7 @@
<!-- BEGIN 'Service Name'-->
<form action="muc-service-edit-form.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="save" value="true">
<% if (!create) { %>
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>">
......
src/web/muc-sysadmins.jsp
View file @ d28e19d2
......@@ -52,6 +52,19 @@
// Handle a save
Map<String,String> errors = new HashMap<String,String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (add || delete) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
add = false;
delete = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
List<JID> allowedJIDs = new ArrayList<JID>();
try {
if (userJID != null && userJID.trim().length() > 0) {
......@@ -163,6 +176,7 @@
<!-- BEGIN 'Administrators' -->
<form action="muc-sysadmins.jsp?add" method="post">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
<div class="jive-contentBoxHeader">
<fmt:message key="groupchat.admins.legend" />
......
src/web/muc-tasks.jsp
View file @ d28e19d2
......@@ -51,6 +51,19 @@
MultiUserChatService mucService = webManager.getMultiUserChatManager().getMultiUserChatService(mucname);
Map<String, String> errors = new HashMap<String, String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (kickSettings || logSettings) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
kickSettings = false;
logSettings = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
// Handle an update of the kicking task settings
if (kickSettings) {
if (!kickEnabled) {
......@@ -187,6 +200,7 @@
<!-- BEGIN 'Idle User Settings' -->
<form action="muc-tasks.jsp?kickSettings" method="post">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
<div class="jive-contentBoxHeader">
<fmt:message key="muc.tasks.user_setting" />
......@@ -228,6 +242,7 @@
<!-- BEGIN 'Conversation Logging' -->
<form action="muc-tasks.jsp?logSettings" method="post">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
<div class="jive-contentBoxHeader">
<fmt:message key="muc.tasks.conversation.logging" />
......
src/web/offline-messages.jsp
View file @ d28e19d2
......@@ -62,6 +62,18 @@
// Update the session kick policy if requested
Map<String, String> errors = new HashMap<String, String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (update) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
update = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if (update) {
// Validate params
if (strategy != BOUNCE && strategy != DROP && strategy != STORE) {
......@@ -199,6 +211,7 @@
<!-- BEGIN 'Offline Message Policy' -->
<form action="offline-messages.jsp">
<input type="hidden" name="csrf" value="csrf">
<div class="jive-contentBoxHeader">
<fmt:message key="offline.messages.policy" />
</div>
......
src/web/plugin-admin.jsp
View file @ d28e19d2
......@@ -15,6 +15,8 @@
--%>
<%@ page import="org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.CookieUtils,
org.jivesoftware.util.StringUtils,
org.jivesoftware.openfire.XMPPServer,
org.jivesoftware.openfire.container.Plugin,
org.jivesoftware.openfire.container.PluginManager,
......@@ -50,12 +52,22 @@
boolean uploadPlugin = request.getParameter("uploadplugin") != null;
String url = request.getParameter("url");
Boolean uploadEnabled = JiveGlobals.getBooleanProperty("plugins.upload.enabled", true);
boolean csrf_check = true;
final PluginManager pluginManager = webManager.getXMPPServer().getPluginManager();
List<Plugin> plugins = new ArrayList<Plugin>(pluginManager.getPlugins());
UpdateManager updateManager = XMPPServer.getInstance().getUpdateManager();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
csrf_check = false;
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if (plugins != null) {
Collections.sort(plugins, new Comparator<Plugin>() {
......@@ -65,14 +77,14 @@
});
}
if (downloadRequested) {
if (csrf_check && downloadRequested) {
// Download and install new version of plugin
updateManager.downloadPlugin(url);
// Log the event
webManager.logEvent("downloaded plugin from "+url, null);
}
if (deletePlugin != null) {
if (csrf_check && deletePlugin != null) {
File pluginDir = pluginManager.getPluginDirectory(pluginManager.getPlugin(deletePlugin));
File pluginJar = new File(pluginDir.getParent(), pluginDir.getName() + ".jar");
// Also try the .war extension.
......@@ -87,7 +99,7 @@
return;
}
if (reloadPlugin != null) {
if (csrf_check && reloadPlugin != null) {
for (Plugin plugin : plugins) {
File pluginDir = pluginManager.getPluginDirectory(plugin);
if (reloadPlugin.equals(pluginDir.getName())) {
......@@ -100,7 +112,7 @@
}
}
if (uploadEnabled && uploadPlugin) {
if (csrf_check && uploadEnabled && uploadPlugin) {
Boolean installed = false;
// Create a factory for disk-based file items
......@@ -557,7 +569,7 @@ else if ("false".equals(request.getParameter("uploadsuccess"))) { %>
><img src="images/refresh-16x16.gif" width="16" height="16" border="0" alt="<fmt:message key="global.refresh" />"></a>
</td>
<td width="1%" align="center" valign="top" class="<%= update != null ? "update-right" : "line-bottom-border"%>">
<a href="#" onclick="if (confirm('<fmt:message key="plugin.admin.confirm" />')) { location.replace('plugin-admin.jsp?deleteplugin=<%= dirName %>'); } "
<a href="#" onclick="if (confirm('<fmt:message key="plugin.admin.confirm" />')) { location.replace('plugin-admin.jsp?csrf=${csrf}&deleteplugin=<%= dirName %>'); } "
title="<fmt:message key="global.click_delete" />"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt="<fmt:message key="global.delete" />"></a>
</td>
......@@ -570,7 +582,7 @@ else if ("false".equals(request.getParameter("uploadsuccess"))) { %>
String updateURL = update.getURL();
if (updateURL.endsWith(".jar") || updateURL.endsWith(".zip") || updateURL.endsWith(".war")) {
// Change it so that the server downloads and installs the new version of the plugin
updateURL = "plugin-admin.jsp?download=true&url=" + updateURL;
updateURL = "plugin-admin.jsp?csrf=" + csrfParam + "download=true&url=" + updateURL;
}
%>
<tr id="<%= update.hashCode() %>-row">
......@@ -633,6 +645,7 @@ else if ("false".equals(request.getParameter("uploadsuccess"))) { %>
<h3><fmt:message key="plugin.admin.upload_plugin" /></h3>
<p><fmt:message key="plugin.admin.upload_plugin.info" /></p>
<form action="plugin-admin.jsp?uploadplugin" enctype="multipart/form-data" method="post">
<input type="hidden" name="csrf" value="csrf">
<input type="file" name="uploadfile" />
<input type="submit" value="<fmt:message key="plugin.admin.upload_plugin" />" />
</form>
......
src/web/private-data-settings.jsp
View file @ d28e19d2
......@@ -39,6 +39,17 @@
<% // Get parameters:
boolean update = request.getParameter("update") != null;
boolean privateEnabled = ParamUtils.getBooleanParameter(request,"privateEnabled");
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (update) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
update = false;
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
// Get an audit manager:
PrivateStorage privateStorage = webManager.getPrivateStore();
......@@ -72,6 +83,7 @@
<!-- BEGIN 'Set Private Data Policy' -->
<form action="private-data-settings.jsp">
<input type="hidden" name="csrf" value="csrf">
<div class="jive-contentBoxHeader">
<fmt:message key="private.data.settings.policy" />
</div>
......
src/web/reg-settings.jsp
View file @ d28e19d2
......@@ -20,6 +20,8 @@
<%@ page import="org.jivesoftware.openfire.XMPPServer,
org.jivesoftware.openfire.handler.IQRegisterHandler,
org.jivesoftware.openfire.session.LocalClientSession,
org.jivesoftware.util.CookieUtils,
org.jivesoftware.util.StringUtils,
org.jivesoftware.util.ParamUtils"
errorPage="error.jsp"
%>
......@@ -51,6 +53,17 @@
String blockedIPs = request.getParameter("blockedIPs");
// Get an IQRegisterHandler:
IQRegisterHandler regHandler = XMPPServer.getInstance().getIQRegisterHandler();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (save) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
save = false;
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if (save) {
regHandler.setInbandRegEnabled(inbandEnabled);
......@@ -138,6 +151,7 @@
</p>
<form action="reg-settings.jsp">
<input type="hidden" name="csrf" value="csrf">
<% if (save) { %>
......
src/web/security-certificate-store-management.jsp
View file @ d28e19d2
......@@ -7,6 +7,9 @@
<%@ page import="org.jivesoftware.openfire.keystore.CertificateStoreConfiguration" %>
<%@ page import="java.io.File" %>
<%@ page import="org.jivesoftware.util.Log" %>
<%@ page import="org.jivesoftware.util.CookieUtils" %>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ taglib uri="admin" prefix="admin" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
......@@ -23,7 +26,19 @@
pageContext.setAttribute( "connectionTypes", ConnectionType.values() );
pageContext.setAttribute( "certificateStoreManager", certificateStoreManager );
final boolean update = request.getParameter("update") != null;
boolean update = request.getParameter("update") != null;
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (update) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
update = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
if ( update ) {
ConnectionType connectionType = null;
try {
......@@ -130,6 +145,7 @@
</c:set>
<form action="security-certificate-store-management.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="connectionType" value="${connectionType}"/>
<admin:contentBox title="${title}">
......
src/web/security-keystore-signing-request.jsp
View file @ d28e19d2
......@@ -11,6 +11,7 @@
<%@page import="org.bouncycastle.asn1.x509.Extension"%>
<%@page import="org.bouncycastle.asn1.x500.X500NameBuilder"%>
<%@page import="org.jivesoftware.util.CertificateManager"%>
<%@ page import="org.jivesoftware.util.CookieUtils" %>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="java.util.HashMap" %>
......@@ -27,7 +28,7 @@
String domain = XMPPServer.getInstance().getServerInfo().getXMPPDomain();
// Get parameters:
final boolean save = ParamUtils.getParameter(request, "save") != null;
boolean save = ParamUtils.getParameter(request, "save") != null;
final String name = domain;
final String organizationalUnit = ParamUtils.getParameter(request, "ou");
final String organization = ParamUtils.getParameter(request, "o");
......@@ -37,6 +38,18 @@
final String connectionTypeText = ParamUtils.getParameter( request, "connectionType" );
final Map<String, String> errors = new HashMap<String, String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (save) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
save = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
ConnectionType connectionType = null;
IdentityStore identityStore = null;
......@@ -160,6 +173,7 @@
<!-- BEGIN 'Issuer information form' -->
<form action="security-keystore-signing-request.jsp" method="post">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="save" value="true">
<input type="hidden" name="connectionType" value="${connectionType}">
<div class="jive-contentBoxHeader">
......
src/web/security-keystore.jsp
View file @ d28e19d2
......@@ -2,6 +2,8 @@
<%@page import="java.util.LinkedHashMap"%>
<%@page import="java.security.PrivateKey"%>
<%@page import="org.jivesoftware.util.CertificateManager"%>
<%@ page import="org.jivesoftware.util.CookieUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page errorPage="error.jsp" %>
<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
......@@ -25,13 +27,27 @@
<% webManager.init(request, response, session, application, out); %>
<% // Get parameters:
final boolean generate = ParamUtils.getBooleanParameter(request, "generate");
final boolean delete = ParamUtils.getBooleanParameter(request, "delete");
final boolean importReply = ParamUtils.getBooleanParameter(request, "importReply");
boolean generate = ParamUtils.getBooleanParameter(request, "generate");
boolean delete = ParamUtils.getBooleanParameter(request, "delete");
boolean importReply = ParamUtils.getBooleanParameter(request, "importReply");
final String alias = ParamUtils.getParameter( request, "alias" );
final String connectionTypeText = ParamUtils.getParameter( request, "connectionType" );
final Map<String, String> errors = new HashMap<>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (generate | delete | importReply) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
generate = false;
delete = false;
importReply = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
ConnectionType connectionType = null;
IdentityStore identityStore = null;
......@@ -174,7 +190,7 @@
<c:if test="${not validDSACert or not validRSACert}">
<admin:infobox type="warning">
<fmt:message key="ssl.certificates.keystore.no_installed">
<fmt:param value="<a href='security-keystore.jsp?generate=true&connectionType=${connectionType}'>"/>
<fmt:param value="<a href='security-keystore.jsp?csrf=${csrf}&generate=true&connectionType=${connectionType}'>"/>
<fmt:param value="</a>"/>
<fmt:param value="<a href='import-keystore-certificate.jsp?connectionType=${connectionType}'>"/>
<fmt:param value="</a>"/>
......@@ -305,7 +321,7 @@
<c:out value="${certificate.publicKey.algorithm}"/>
</td>
<td width="1" align="center">
<a href="security-keystore.jsp?alias=${alias}&connectionType=${connectionType}&delete=true"
<a href="security-keystore.jsp?csrf=${csrf}&alias=${alias}&connectionType=${connectionType}&delete=true"
title="<fmt:message key="global.click_delete"/>"
onclick="return confirm('<fmt:message key="ssl.certificates.confirm_delete"/>');"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
......@@ -314,6 +330,7 @@
<% if (isSigningPending) { %>
<form action="security-keystore.jsp?connectionType=${connectionType}" method="post">
<input type="hidden" name="csrf" value="csrf">
<input type="hidden" name="importReply" value="true">
<input type="hidden" name="alias" value="${alias}">
<tr>
......
src/web/security-truststore.jsp
View file @ d28e19d2
<%@ page errorPage="error.jsp"%>
<%@ page import="org.jivesoftware.openfire.keystore.TrustStore"%>
<%@ page import="org.jivesoftware.openfire.spi.ConnectionType"%>
<%@ page import="org.jivesoftware.util.ParamUtils"%>
<%@ page import="org.jivesoftware.util.CookieUtils" %>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="java.util.Collections" %>
<%@ page import="java.util.HashMap" %>
<%@ page import="java.util.Map" %>
......@@ -17,12 +19,24 @@
<jsp:useBean id="now" class="java.util.Date"/>
<% webManager.init(request, response, session, application, out );
final boolean delete = ParamUtils.getBooleanParameter( request, "delete" );
boolean delete = ParamUtils.getBooleanParameter( request, "delete" );
final String alias = ParamUtils.getParameter( request, "alias" );
final String connectionTypeText = ParamUtils.getParameter( request, "connectionType" );
final Map<String, String> errors = new HashMap<>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
if (delete) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
delete = false;
errors.put("csrf", "CSRF Failure!");
}
}
csrfParam = StringUtils.randomString(15);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
pageContext.setAttribute("csrf", csrfParam);
ConnectionType connectionType = null;
TrustStore trustStore = null;
......@@ -207,7 +221,7 @@
<c:out value="${certificate.publicKey.algorithm}"/>
</td>
<td width="1" align="center">
<a href="security-truststore.jsp?connectionType=${connectionType}&alias=${alias}&delete=true"
<a href="security-truststore.jsp?connectionType=${connectionType}&alias=${alias}&delete=true&csrf=csrf"
title="<fmt:message key="global.click_delete"/>"
onclick="return confirm('<fmt:message key="ssl.certificates.confirm_delete"/>');"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023