Author: mputz
Date: 2013-03-20 11:17:30 -0400 (Wed, 20 Mar 2013)
New Revision: 9215
Added:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/CSRFTokenUtil.java
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/component/identity/src/main/java/org/exoplatform/services/organization/idm/IDMMembershipListAccess.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/component/web/controller/src/main/java/org/exoplatform/web/application/ApplicationMessage.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/component/web/controller/src/main/java/org/exoplatform/web/application/URLBuilder.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/component/web/controller/src/main/java/org/exoplatform/web/url/PortalURL.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/pom.xml
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/account/webui/component/UIRegisterForm.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/navigation/webui/component/UIPageNodeForm.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/organization/webui/component/UIGroupMembershipForm.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/organization/webui/component/UIUserInGroup.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/organization/webui/component/UIUserInfo.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/core/src/main/java/org/exoplatform/webui/core/lifecycle/UIFormLifecycle.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/core/src/main/java/org/exoplatform/webui/form/UIForm.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/application/ConfigurationManager.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/config/Event.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/config/annotation/EventConfig.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/core/UIApplication.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/core/UIComponent.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/event/Event.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/exception/MessageException.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portal/src/main/java/org/exoplatform/portal/account/UIAccountProfiles.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portal/src/main/java/org/exoplatform/portal/application/PortalURLBuilder.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portal/src/main/java/org/exoplatform/portal/url/PortalURLContext.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portal/src/main/java/org/exoplatform/portal/webui/application/ExoPortletInvocationContext.java
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portlet/src/main/java/org/exoplatform/webui/application/portlet/PortletURLBuilder.java
Log:
Bug 851392 - Fix for CVE-2012-3532: Gatein CSRF issue + previous patches
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/component/identity/src/main/java/org/exoplatform/services/organization/idm/IDMMembershipListAccess.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/component/identity/src/main/java/org/exoplatform/services/organization/idm/IDMMembershipListAccess.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/component/identity/src/main/java/org/exoplatform/services/organization/idm/IDMMembershipListAccess.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -103,7 +103,7 @@
//
int i = 0;
- for (; i < roles.size(); i++)
+ for (; i < length; i++)
{
Role role = roles.get(i);
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/component/web/controller/src/main/java/org/exoplatform/web/application/ApplicationMessage.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/component/web/controller/src/main/java/org/exoplatform/web/application/ApplicationMessage.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/component/web/controller/src/main/java/org/exoplatform/web/application/ApplicationMessage.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -30,13 +30,22 @@
{
private final String messageKey_;
private final Object[] messageArgs_;
+ private String message;
public ApplicationMessage(String key, Object[] args)
{
this.messageKey_ = key;
this.messageArgs_ = args;
+ message = null;
}
+ public ApplicationMessage(String message)
+ {
+ messageKey_ = null;
+ messageArgs_ = null;
+ this.message = message;
+ }
+
@Override
public boolean equals(Object o)
{
@@ -85,24 +94,32 @@
public String getMessage()
{
- String msg = resolveMessage(messageKey_);
- if (msg != null && messageArgs_ != null)
+ if (message == null)
{
- for (int i = 0; i < messageArgs_.length; i++)
+ String msg = resolveMessage(messageKey_);
+ if (msg != null && messageArgs_ != null)
{
- final Object messageArg = messageArgs_[i];
- if (messageArg != null)
+ for (int i = 0; i < messageArgs_.length; i++)
{
- String arg = messageArg.toString();
- if (isArgsLocalized())
+ final Object messageArg = messageArgs_[i];
+ if (messageArg != null)
{
- arg = resolveMessage(arg);
+ String arg = messageArg.toString();
+ if (isArgsLocalized())
+ {
+ arg = resolveMessage(arg);
+ }
+ msg = msg.replace("{" + i + "}", arg);
}
- msg = msg.replace("{" + i + "}", arg);
}
}
+
+ message = msg;
+ return msg;
}
-
- return msg;
+ else
+ {
+ return message;
+ }
}
}
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/component/web/controller/src/main/java/org/exoplatform/web/application/URLBuilder.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/component/web/controller/src/main/java/org/exoplatform/web/application/URLBuilder.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/component/web/controller/src/main/java/org/exoplatform/web/application/URLBuilder.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -78,20 +78,20 @@
public final String createURL(T targetComponent, String action, String targetBeanId)
{
- return createURL(targetComponent, action, null, targetBeanId, (Parameter[])null);
+ return createURL(targetComponent, action, null, targetBeanId, (Parameter[])null,
false);
}
public final String createAjaxURL(T targetComponent, String action, String
targetBeanId)
{
- return createAjaxURL(targetComponent, action, null, targetBeanId,
(Parameter[])null);
+ return createAjaxURL(targetComponent, action, null, targetBeanId,
(Parameter[])null, false);
}
public final String createAjaxURL(T targetComponent, String action, String confirm,
String targetBeanId)
{
- return createAjaxURL(targetComponent, action, confirm, targetBeanId,
(Parameter[])null);
+ return createAjaxURL(targetComponent, action, confirm, targetBeanId,
(Parameter[])null, false);
}
- public abstract String createAjaxURL(T targetComponent, String action, String confirm,
String targetBeanId, Parameter[] params);
+ public abstract String createAjaxURL(T targetComponent, String action, String confirm,
String targetBeanId, Parameter[] params, boolean csrfCheck);
- public abstract String createURL(T targetComponent, String action, String confirm,
String targetBeanId, Parameter[] params);
+ public abstract String createURL(T targetComponent, String action, String confirm,
String targetBeanId, Parameter[] params, boolean csrfCheck);
}
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/component/web/controller/src/main/java/org/exoplatform/web/url/PortalURL.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/component/web/controller/src/main/java/org/exoplatform/web/url/PortalURL.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/component/web/controller/src/main/java/org/exoplatform/web/url/PortalURL.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -43,6 +43,9 @@
/** . */
private boolean authorityUse;
+
+ /** . */
+ private boolean csrfCheck;
/** . */
protected Boolean ajax;
@@ -241,7 +244,17 @@
{
this.locale = locale;
}
+
+ public boolean isCSRFCheck()
+ {
+ return csrfCheck;
+ }
+ public void setCSRFCheck(boolean csrfCheck)
+ {
+ this.csrfCheck = csrfCheck;
+ }
+
/**
* Reset the Portal URL state
*/
Modified: epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/pom.xml
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/pom.xml 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/pom.xml 2013-03-20
15:17:30 UTC (rev 9215)
@@ -52,7 +52,7 @@
<org.gatein.dep.version>1.1.0-GA</org.gatein.dep.version>
<org.gatein.wci.version>2.1.1-GA</org.gatein.wci.version>
<org.gatein.pc.version>2.3.1-GA</org.gatein.pc.version>
- <org.picketlink.idm>1.3.2.CR01</org.picketlink.idm>
+ <org.picketlink.idm>1.3.3.Final</org.picketlink.idm>
<org.gatein.wsrp.version>2.1.7-EPP522-GA</org.gatein.wsrp.version>
<org.gatein.mop.version>1.1.2-GA</org.gatein.mop.version>
<org.gatein.mgmt.version>1.0.1-GA</org.gatein.mgmt.version>
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/account/webui/component/UIRegisterForm.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/account/webui/component/UIRegisterForm.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/account/webui/component/UIRegisterForm.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -18,7 +18,7 @@
*/
package org.exoplatform.account.webui.component;
-
+
import java.util.ArrayList;
import java.util.List;
@@ -154,7 +154,7 @@
}
catch (MessageException e)
{
-
event.getRequestContext().getUIApplication().addMessage(e.getDetailMessage());
+
event.getRequestContext().getUIApplication().addMessage(e.getDetailedMessage());
return;
}
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/navigation/webui/component/UIPageNodeForm.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/navigation/webui/component/UIPageNodeForm.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/navigation/webui/component/UIPageNodeForm.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -677,7 +677,7 @@
}
catch (MessageException ex)
{
- uiPortalApp.addMessage(ex.getDetailMessage());
+ uiPortalApp.addMessage(ex.getDetailedMessage());
return;
}
catch (Exception ex)
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/organization/webui/component/UIGroupMembershipForm.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/organization/webui/component/UIGroupMembershipForm.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/organization/webui/component/UIGroupMembershipForm.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -41,7 +41,7 @@
import org.exoplatform.webui.form.UIForm;
import org.exoplatform.webui.form.UIFormSelectBox;
import org.exoplatform.webui.form.UIFormStringInput;
-import org.exoplatform.webui.form.validator.UserConfigurableValidator;
+import org.exoplatform.webui.form.validator.MandatoryValidator;
import org.exoplatform.webui.organization.account.UIUserSelector;
import java.util.ArrayList;
@@ -75,7 +75,7 @@
public UIGroupMembershipForm() throws Exception
{
- addUIFormInput(new UIFormStringInput(USER_NAME, USER_NAME,
null).addValidator(UserConfigurableValidator.class,
UserConfigurableValidator.GROUPMEMBERSHIP,
UserConfigurableValidator.GROUP_MEMBERSHIP_LOCALIZATION_KEY));
+ addUIFormInput(new UIFormStringInput(USER_NAME, USER_NAME,
null).addValidator(MandatoryValidator.class));
addUIFormInput(new UIFormSelectBox("membership", "membership",
listOption).setSize(1));
UIPopupWindow searchUserPopup = addChild(UIPopupWindow.class,
"SearchUser", "SearchUser");
searchUserPopup.setWindowSize(640, 0);
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/organization/webui/component/UIUserInGroup.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/organization/webui/component/UIUserInGroup.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/organization/webui/component/UIUserInGroup.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -132,14 +132,9 @@
}
else
{
- OrganizationService service =
getApplicationComponent(OrganizationService.class);
- MembershipHandler handler = service.getMembershipHandler();
- ListAccess<?> list = handler.findAllMembershipsByGroup(group);
- pageList = new FindMembershipByGroupPageList(group.getId(),
- list.getSize() > 10 ? list.getSize() : 10);
+ pageList = new FindMembershipByGroupPageList(group.getId(), 5);
}
UIGridUser uiGrid = getChild(UIGridUser.class);
- pageList.setPageSize(5);
UIPageIterator pageIterator = uiGrid.getUIPageIterator();
/** We keep the currently selected page index **/
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/organization/webui/component/UIUserInfo.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/organization/webui/component/UIUserInfo.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/portlet/exoadmin/src/main/java/org/exoplatform/organization/webui/component/UIUserInfo.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -48,7 +48,7 @@
/** Created by The eXo Platform SARL Author : chungnv nguyenchung136(a)yahoo.com Jun 23,
2006 10:07:15 AM */
@ComponentConfig(lifecycle = UIFormLifecycle.class, template =
"system:/groovy/webui/form/UIFormTabPane.gtmpl", events = {
- @EventConfig(listeners = UIUserInfo.SaveActionListener.class),
+ @EventConfig(listeners = UIUserInfo.SaveActionListener.class, csrfCheck = true),
@EventConfig(listeners = UIUserInfo.BackActionListener.class, phase = Phase.DECODE),
@EventConfig(listeners = UIUserInfo.ToggleChangePasswordActionListener.class, phase =
Phase.DECODE)})
@Serialized
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/core/src/main/java/org/exoplatform/webui/core/lifecycle/UIFormLifecycle.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/core/src/main/java/org/exoplatform/webui/core/lifecycle/UIFormLifecycle.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/core/src/main/java/org/exoplatform/webui/core/lifecycle/UIFormLifecycle.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -195,7 +195,7 @@
}
catch (MessageException ex)
{
- uiApp.addMessage(ex.getDetailMessage());
+ uiApp.addMessage(ex.getDetailedMessage());
context.setProcessRender(true);
}
catch (Exception ex)
@@ -231,7 +231,7 @@
}
catch (MessageException ex)
{
- uiApp.addMessage(ex.getDetailMessage());
+ uiApp.addMessage(ex.getDetailedMessage());
context.setProcessRender(true);
}
}
@@ -261,7 +261,7 @@
}
catch (MessageException ex)
{
- uiApp.addMessage(ex.getDetailMessage());
+ uiApp.addMessage(ex.getDetailedMessage());
context.setProcessRender(true);
}
catch (Exception ex)
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/core/src/main/java/org/exoplatform/webui/form/UIForm.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/core/src/main/java/org/exoplatform/webui/form/UIForm.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/core/src/main/java/org/exoplatform/webui/form/UIForm.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -19,6 +19,7 @@
package org.exoplatform.webui.form;
+import org.exoplatform.webui.CSRFTokenUtil;
import org.exoplatform.webui.application.WebuiRequestContext;
import org.exoplatform.webui.application.portlet.PortletRequestContext;
import org.exoplatform.commons.serialization.api.annotations.Serialized;
@@ -186,7 +187,10 @@
writer.append(" enctype=\"multipart/form-data\"");
}
writer.append(" method=\"post\">");
- writer.append("<div><input type=\"hidden\"
name=\"").append(ACTION).append("\"
value=\"\"/></div>");
+ writer.append("<div><input type=\"hidden\"
name=\"").append(ACTION).append("\" value=\"\"/>");
+ writer.append("<input type=\"hidden\"
name=\"").append(CSRFTokenUtil.CSRF_TOKEN).append("\"
value=\"");
+ writer.append(CSRFTokenUtil.getToken());
+ writer.append("\"/></div>");
}
@Override
@@ -336,4 +340,4 @@
{
return "uiform";
}
-}
\ No newline at end of file
+}
Added:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/CSRFTokenUtil.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/CSRFTokenUtil.java
(rev 0)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/CSRFTokenUtil.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2012 eXo Platform SAS.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+ */
+package org.exoplatform.webui;
+
+import javax.portlet.PortletRequest;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+
+import org.exoplatform.services.log.ExoLogger;
+import org.exoplatform.services.log.Log;
+import org.exoplatform.webui.application.WebuiRequestContext;
+import org.gatein.common.util.UUIDGenerator;
+
+/**
+ * @author <a href="mailto:phuong.vu@exoplatform.com">Vu Viet
Phuong</a>
+ * @version $Id$
+ *
+ */
+public class CSRFTokenUtil
+{
+ public static final String CSRF_TOKEN = "gtn:csrf";
+
+ private static Log log = ExoLogger.getExoLogger(CSRFTokenUtil.class);
+
+ private static final UUIDGenerator generator = new UUIDGenerator();
+
+ public static boolean check() throws Exception
+ {
+ HttpServletRequest request = getRequest();
+ if (request != null)
+ {
+ String sessionToken = getToken();
+ String reqToken = request.getParameter(CSRF_TOKEN);
+
+ return reqToken != null && reqToken.equals(sessionToken);
+ }
+ else
+ {
+ log.warn("No HttpServletRequest found, can't check CSRF");
+ return false;
+ }
+ }
+
+ public static String getToken() throws Exception
+ {
+ HttpServletRequest request = getRequest();
+ if (request != null)
+ {
+ HttpSession session = request.getSession();
+ String token = (String)session.getAttribute(CSRF_TOKEN);
+ if (token == null)
+ {
+ token = generator.generateKey();
+ session.setAttribute(CSRF_TOKEN, token);
+ }
+ return token;
+ }
+ else
+ {
+ log.warn("No HttpServletRequest found, can't generate CSRF
token");
+ return null;
+ }
+ }
+
+ private static HttpServletRequest getRequest() throws Exception
+ {
+ WebuiRequestContext context = WebuiRequestContext.getCurrentInstance();
+ if (context != null && context.getRequest() instanceof PortletRequest)
+ {
+ context = (WebuiRequestContext)context.getParentAppRequestContext();
+ }
+
+ if (context != null)
+ {
+ return context.getRequest();
+ }
+ else
+ {
+ log.warn("Can't find portal context");
+ return null;
+ }
+ }
+}
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/application/ConfigurationManager.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/application/ConfigurationManager.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/application/ConfigurationManager.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -373,6 +373,7 @@
event.setName(name);
}
event.setListeners(listeners);
+ event.setCsrfCheck(annotation.csrfCheck());
return event;
}
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/config/Event.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/config/Event.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/config/Event.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -39,6 +39,8 @@
private InitParams initParams;
private ArrayList<String> listeners;
+
+ private boolean csrfCheck;
transient private List<EventListener> eventListeners_;
@@ -125,5 +127,15 @@
{
eventListeners_ = list;
}
+
+ public boolean isCsrfCheck()
+ {
+ return csrfCheck;
+ }
+ public void setCsrfCheck(boolean csrfCheck)
+ {
+ this.csrfCheck = csrfCheck;
+ }
+
}
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/config/annotation/EventConfig.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/config/annotation/EventConfig.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/config/annotation/EventConfig.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -40,6 +40,8 @@
Class[] listeners();
Phase phase() default Phase.PROCESS;
+
+ boolean csrfCheck() default false;
ParamConfig[] initParams() default {};
}
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/core/UIApplication.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/core/UIApplication.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/core/UIApplication.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -138,7 +138,7 @@
}
catch (MessageException ex)
{
- addMessage(ex.getDetailMessage());
+ addMessage(ex.getDetailedMessage());
}
catch (Throwable t)
{
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/core/UIComponent.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/core/UIComponent.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/core/UIComponent.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -319,13 +319,13 @@
//
if (ajax)
{
- return urlBuilder.createAjaxURL(this, event.getName(), confirm, beanId,
params);
+ return urlBuilder.createAjaxURL(this, event.getName(), confirm, beanId, params,
event.isCsrfCheck());
}
else
{
try
{
- return urlBuilder.createURL(this, event.getName(), confirm, beanId, params);
+ return urlBuilder.createURL(this, event.getName(), confirm, beanId, params,
event.isCsrfCheck());
}
catch (Exception e)
{
@@ -352,6 +352,8 @@
{
return;
}
+ event.setCsrfCheck(econfig.isCsrfCheck());
+
Phase executionPhase = econfig.getExecutionPhase();
if (executionPhase == phase || executionPhase == Event.Phase.ANY)
{
@@ -461,6 +463,7 @@
Event<UIComponent> event = new Event<UIComponent>(this, name,
context);
event.setExecutionPhase(phase);
event.setEventListeners(econfig.getCachedEventListeners());
+ event.setCsrfCheck(econfig.isCsrfCheck());
return event;
}
return null;
@@ -490,4 +493,4 @@
}
return null;
}
-}
\ No newline at end of file
+}
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/event/Event.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/event/Event.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/event/Event.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -19,9 +19,13 @@
package org.exoplatform.webui.event;
+import java.util.List;
+
+import org.exoplatform.services.log.ExoLogger;
+import org.exoplatform.services.log.Log;
+import org.exoplatform.webui.CSRFTokenUtil;
import org.exoplatform.webui.application.WebuiRequestContext;
-import java.util.List;
public class Event<T>
{
@@ -35,6 +39,10 @@
private WebuiRequestContext context_;
private List<EventListener> listeners_;
+
+ private boolean csrfCheck;
+
+ private static final Log log = ExoLogger.getLogger(Event.class.getName());
public Event(T source, String name, WebuiRequestContext context)
{
@@ -83,14 +91,32 @@
listeners_ = listeners;
}
- final public void broadcast() throws Exception
+ public boolean isCsrfCheck()
{
- for (EventListener<T> listener : listeners_)
- listener.execute(this);
+ return csrfCheck;
}
+ public void setCsrfCheck(boolean csrfCheck)
+ {
+ this.csrfCheck = csrfCheck;
+ }
+
+ final public void broadcast() throws Exception
+ {
+ if (isCsrfCheck() && !CSRFTokenUtil.check())
+ {
+ getRequestContext().setResponseComplete(true);
+ log.error("csrfToken is lost or this is an csrf attack");
+ }
+ else
+ {
+ for (EventListener<T> listener : listeners_)
+ listener.execute(this);
+ }
+ }
+
static public enum Phase {
ANY, DECODE, PROCESS, RENDER
}
-}
\ No newline at end of file
+}
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/exception/MessageException.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/exception/MessageException.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/framework/src/main/java/org/exoplatform/webui/exception/MessageException.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -45,9 +45,13 @@
this((AbstractApplicationMessage)message);
}
- public AbstractApplicationMessage getDetailMessage()
+ public AbstractApplicationMessage getDetailedMessage()
{
return message;
}
+ public ApplicationMessage getDetailMessage()
+ {
+ return new ApplicationMessage(message.getMessage());
+ }
}
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portal/src/main/java/org/exoplatform/portal/account/UIAccountProfiles.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portal/src/main/java/org/exoplatform/portal/account/UIAccountProfiles.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portal/src/main/java/org/exoplatform/portal/account/UIAccountProfiles.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -52,7 +52,7 @@
@ComponentConfig(lifecycle = UIFormLifecycle.class, template =
"system:/groovy/webui/form/UIForm.gtmpl",
-events = {@EventConfig(listeners = UIAccountProfiles.SaveActionListener.class),
+events = {@EventConfig(listeners = UIAccountProfiles.SaveActionListener.class, csrfCheck
= true),
@EventConfig(listeners = UIAccountProfiles.ResetActionListener.class, phase =
Phase.DECODE)})
public class UIAccountProfiles extends UIForm
{
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portal/src/main/java/org/exoplatform/portal/application/PortalURLBuilder.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portal/src/main/java/org/exoplatform/portal/application/PortalURLBuilder.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portal/src/main/java/org/exoplatform/portal/application/PortalURLBuilder.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -46,18 +46,18 @@
}
@Override
- public String createAjaxURL(UIComponent targetComponent, String action, String
confirm, String targetBeanId, Parameter[] params)
+ public String createAjaxURL(UIComponent targetComponent, String action, String
confirm, String targetBeanId, Parameter[] params, boolean csrfCheck)
{
- return createURL(true, targetComponent, action, confirm, targetBeanId, params);
+ return createURL(true, targetComponent, action, confirm, targetBeanId, params,
csrfCheck);
}
@Override
- public String createURL(UIComponent targetComponent, String action, String confirm,
String targetBeanId, Parameter[] params)
+ public String createURL(UIComponent targetComponent, String action, String confirm,
String targetBeanId, Parameter[] params, boolean csrfCheck)
{
- return createURL(false, targetComponent, action, confirm, targetBeanId, params);
+ return createURL(false, targetComponent, action, confirm, targetBeanId, params,
csrfCheck);
}
- private String createURL(boolean ajax, UIComponent targetComponent, String action,
String confirm, String targetBeanId, Parameter[] params)
+ private String createURL(boolean ajax, UIComponent targetComponent, String action,
String confirm, String targetBeanId, Parameter[] params, boolean csrfCheck)
{
url.reset();
@@ -88,7 +88,9 @@
{
url.setLocale(locale);
}
-
+
+ url.setCSRFCheck(csrfCheck);
+
//
return url.toString();
}
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portal/src/main/java/org/exoplatform/portal/url/PortalURLContext.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portal/src/main/java/org/exoplatform/portal/url/PortalURLContext.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portal/src/main/java/org/exoplatform/portal/url/PortalURLContext.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -19,6 +19,13 @@
package org.exoplatform.portal.url;
+import javax.servlet.http.HttpServletRequest;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Locale;
+import java.util.Map;
+
import org.exoplatform.commons.utils.I18N;
import org.exoplatform.portal.application.PortalRequestHandler;
import org.exoplatform.portal.mop.SiteKey;
@@ -28,14 +35,9 @@
import org.exoplatform.web.controller.router.URIWriter;
import org.exoplatform.web.url.PortalURL;
import org.exoplatform.web.url.URLContext;
+import org.exoplatform.webui.CSRFTokenUtil;
import org.gatein.common.io.UndeclaredIOException;
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.Locale;
-import java.util.Map;
-
/**
* @author <a href="mailto:julien.viet@exoplatform.com">Julien
Viet</a>
*/
@@ -189,7 +191,22 @@
}
}
}
-
+
+ //CSRF token
+ if (url.isCSRFCheck())
+ {
+ String token;
+ try
+ {
+ token = CSRFTokenUtil.getToken();
+ writer.appendQueryParameter(CSRFTokenUtil.CSRF_TOKEN, token);
+ }
+ catch (Exception e)
+ {
+ throw new IllegalStateException("Can't add csrf token to url",
e);
+ }
+ }
+
//
if (ajax)
{
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portal/src/main/java/org/exoplatform/portal/webui/application/ExoPortletInvocationContext.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portal/src/main/java/org/exoplatform/portal/webui/application/ExoPortletInvocationContext.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portal/src/main/java/org/exoplatform/portal/webui/application/ExoPortletInvocationContext.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -24,6 +24,7 @@
import org.exoplatform.portal.application.PortalRequestContext;
import org.exoplatform.web.url.MimeType;
import org.exoplatform.web.url.PortalURL;
+import org.exoplatform.webui.application.portlet.PortletURLBuilder;
import org.exoplatform.webui.core.UIComponent;
import org.exoplatform.webui.url.ComponentURL;
import org.gatein.common.logging.Logger;
@@ -282,6 +283,10 @@
// Confirm messsage
url.setConfirm(props.get("gtn:confirm"));
+
+ //
+ String csrfCheck = props.get(PortletURLBuilder.CSRF_PROP);
+ url.setCSRFCheck(Boolean.parseBoolean(csrfCheck));
//
MimeType mimeType = Boolean.TRUE.equals(format.getWantEscapeXML()) ? MimeType.XHTML
: MimeType.PLAIN;
Modified:
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portlet/src/main/java/org/exoplatform/webui/application/portlet/PortletURLBuilder.java
===================================================================
---
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portlet/src/main/java/org/exoplatform/webui/application/portlet/PortletURLBuilder.java 2013-03-20
04:10:52 UTC (rev 9214)
+++
epp/portal/branches/EPP_5_2_2_GA_BZ851392_BZ874821_BZ895343_BZ921181/webui/portlet/src/main/java/org/exoplatform/webui/application/portlet/PortletURLBuilder.java 2013-03-20
15:17:30 UTC (rev 9215)
@@ -35,27 +35,29 @@
/** . */
private final PortletURL url;
+
+ public static final String CSRF_PROP = "gtn:csrfCheck";
public PortletURLBuilder(PortletURL url)
{
this.url = url;
}
- public String createAjaxURL(UIComponent targetComponent, String action, String
confirm, String targetBeanId, Parameter[] params)
+ public String createAjaxURL(UIComponent targetComponent, String action, String
confirm, String targetBeanId, Parameter[] params, boolean csrfCheck)
{
- return createURL(true, confirm, targetComponent, action, targetBeanId, params);
+ return createURL(true, confirm, targetComponent, action, targetBeanId, params,
csrfCheck);
}
- public String createURL(UIComponent targetComponent, String action, String confirm,
String targetBeanId, Parameter[] params)
+ public String createURL(UIComponent targetComponent, String action, String confirm,
String targetBeanId, Parameter[] params, boolean csrfCheck)
{
- return createURL(false, confirm, targetComponent, action, targetBeanId, params);
+ return createURL(false, confirm, targetComponent, action, targetBeanId, params,
csrfCheck);
}
private String createURL(
boolean ajax,
String confirm,
UIComponent targetComponent, String action, String targetBeanId,
- Parameter[] params)
+ Parameter[] params, boolean csrfCheck)
{
// Clear URL
url.getParameterMap().clear();
@@ -99,6 +101,12 @@
}
//
+ if (csrfCheck)
+ {
+ url.setProperty(CSRF_PROP, Boolean.TRUE.toString());
+ }
+
return url.toString();
+
}
}