- 23 Mar, 2016 6 commits
-
-
Dave Cridland authored
Extending the previous commit, this adds CSRF to a number of high-value target pages, including user password changing, dleetion, lockout, etc, and also for the login page (to avoid a class of attack we probably don't care about). The CSRF mechanism requires manual addition to each form, but has been design reviewed by Simon Waters (Surevine Ltd).
-
Dave Cridland authored
-
Dave Cridland authored
Reflected XSS in import-keystore-certificate.jsp via the passphrase. Reported by Florian Nivette of Sysdream.
-
Dave Cridland authored
-
Dave Cridland authored
The mucdesc parameter of muc-service-edit-form.jsp was reflected unescaped in the summary view at muc-service-summary.jsp This was reported by Florian Nivette of Sysdream. Fixed by escaping on output within muc-service-summary.jsp. In addition, domain validation was added on input.
-
Dave Cridland authored
The subdomain parameter in external-components-settings.jsp was reflected in both cases in the deletion URI as an unencoded parameter. Originally discovered by Simon Waters, then this case found by Florian Nivette of Sysdream. Fix is twofold: * The parameter is now encoded on output, the deletion URI is now set using the JSP tags instead of string construction. * The subdomain parameter is validated on input, making it difficult to inject script elements etc.
-
- 21 Mar, 2016 1 commit
-
-
daryl herzmann authored
OF-929 prevent ghosts by removing ioSession check
-
- 18 Mar, 2016 1 commit
-
-
akrherz authored
Since the release of Openfire 3.9.3, users have reported problems with "ghost" sessions left on the server. After reviewing the changes that went into the 3.9.3 release, it seemed the fix for OF-464 may have had some side effect causing this. Since Igniterealtime's Openfire was reproducing OF-829, I did a test whereby the functional changes of Igniterealtime/Openfire#ad08cae9 were reverted. After 36 hours, there were no ghosts! This will likely necessitate reopening OF-464.
-
- 17 Mar, 2016 1 commit
-
-
Christian Schudt authored
OF-1089: Send IQ result only after messages
-
- 11 Mar, 2016 2 commits
-
-
Guus der Kinderen authored
OF-1107 Option to not show email, added readme and changelog
-
wroot authored
-
- 10 Mar, 2016 2 commits
-
-
Dave Cridland authored
Prevent occasional failure of CheckChainTrustedTest
-
Guus der Kinderen authored
There's one unit test that occasionally fails. This occurs as a result of an unintended collision. As part of the test, many certificates are generated and stored in keystores. The alias used for the entry was based on the hashcode of the public ke of the certificate. The value range of those hashcodes is fairly small (it has only a couple of digits), which leads to occasional collisions, causing the test to fail. This commit replaces the hashcode-based alias with the Base64-encoded public key information. This ensures that aliases for distinct keys are also distinct, while ensuring that the aliases for equal keys are equal.
-
- 07 Mar, 2016 13 commits
-
-
Guus der Kinderen authored
-
Guus der Kinderen authored
OF-1097: jabber:iq:auth / XEP-0078 disabled by default
-
Guus der Kinderen authored
AuthProvider has quite some complexity that exists solely for XEP-0078. This commit removes most of that, by replacing the generic checks for digest and plain support with a non-generic implementation, that will work for any auth provider that supports password retrieval.
-
Guus der Kinderen authored
Non-SASL authentication was obsoleted a long time ago. Openfire should not enable it by default. This commit moves the related implementation from the core Openfire code into a plugin.
-
Guus der Kinderen authored
OF-1105: Plugin servlet mapping should be case insensitive.
-
Guus der Kinderen authored
OF-1092 Various fixes
-
Guus der Kinderen authored
OF-1100: Allow for subjectAltNames of type 'DNS'
-
Guus der Kinderen authored
The provider didn't register all of the supported SASL mechanisms. For good measure, the version number of the provider was increased as well.
-
Guus der Kinderen authored
-
Guus der Kinderen authored
Although it evaluates as a boolean, the POLICY_NOANONYMOUS property value must be a String value (as defined by javax.security.sasl.Sasl#POLICY_NOANONYMOUS)
-
Guus der Kinderen authored
The method signature defines that the 'props' argument is allowed to be null. Our implementation should not throw a nullpointerexception.
-
Guus der Kinderen authored
Should use hypens instead of underscore.
-
Guus der Kinderen authored
Although I'd rather have this case sensitive, that would break backwards compatiblity. This way, paths with capital letters can be used at least.
-
- 06 Mar, 2016 3 commits
-
-
Guus der Kinderen authored
This commit formalizes the parsing of subjectAltName certificate extensions.
-
Guus der Kinderen authored
This commit adds support for the id-on-dnsSRV otherName, as well as the UniformResourceIdentifier generalName, which both could also be used for XMPP.
-
Guus der Kinderen authored
In addition to subjectAltNames of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr", subjectAltNames of type DNS should also be evaluated when processing identities from a certificate.
-
- 05 Mar, 2016 2 commits
-
-
Guus der Kinderen authored
OF-1092: Pluggable SASL mechanism
-
Guus der Kinderen authored
A bit of rework of the SASL implementation. Pushed implementations to Java Provider where this was not done before. When SASL fails, it is useful to be able to add some context to the failure. To do this, javax.security.sasl.SaslException is subclassed.
-
- 04 Mar, 2016 1 commit
-
-
Guus der Kinderen authored
-
- 03 Mar, 2016 7 commits
-
-
Guus der Kinderen authored
Outcasts should not be allowed to register with room.
-
Guus der Kinderen authored
Update Chinese Simplified translation (OF-1088)
-
Dave Cridland authored
OF-1095: Improve plugin (un)loading related logging
-
Dave Cridland authored
OF-1098: Anonymous user login should be disabled by default.
-
Guus der Kinderen authored
-
Guus der Kinderen authored
This commit adds more structure to the logging done when loading and unloading plugins. The plugin manager was adapted to create log statements for loading and unloading each plugin. It also logs to std-out for log statements of priority INFO and above. This mimics what some (but not all) plugins were doing internally. There's an added log statement that informs that the loading of the entire set of plugins has finished (which helps users to determine when Openfire is ready to be used). Corresponding log statements from individual plugins have been removed.
-
Guus der Kinderen authored
-
- 02 Mar, 2016 1 commit
-
-
Guus der Kinderen authored
OF-1094: Allow reset of UserProvider
-