Re: svn commit: r1781366 [1/3] - in /ofbiz/trunk: applications/content/widget/co
Locked
Re: svn commit: r1781366 [1/3] - in /ofbiz/trunk: applications/content/widget/co
 
|
??
Log: Implemented: Improved: Documented: Completed: Reverted: Fixed: (OFBIZ-) Explanation Thanks: Best regards, Pranay Pandey HotWax Systems http://www.hotwaxsystems.com/ On Thu, Feb 2, 2017 at 4:03 PM, <[hidden email]> wrote: > Author: jleroux > Date: Thu Feb 2 10:33:59 2017 > New Revision: 1781366 > > URL: http://svn.apache.org/viewvc?rev=1781366&view=rev > Log: > Implemented: > Improved: > Documented: > Completed: > Reverted: > Fixed: > (OFBIZ-) > Explanation > Thanks: > > Added: > ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js > (with props) > ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties > (with props) > ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/controller - > Copie.xml (with props) > ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/web - > Copie.xml (with props) > ofbiz/trunk/framework/webapp/config/requestHandler - > Copie.properties (with props) > ofbiz/trunk/themes/tomahawk/template/Header - Copie.ftl (with props) > Modified: > ofbiz/trunk/applications/content/widget/compdoc/ > CompDocTemplateTree.xml > ofbiz/trunk/applications/content/widget/content/ContentForms.xml > ofbiz/trunk/applications/product/template/Main.ftl > ofbiz/trunk/applications/product/template/store/ > EditProductStoreWebSites.ftl > ofbiz/trunk/framework/base/src/main/java/org/apache/ > ofbiz/base/util/template/FreeMarkerWorker.java > ofbiz/trunk/framework/minilang/src/main/java/org/ > apache/ofbiz/minilang/method/entityops/EntityOne.java > ofbiz/trunk/framework/widget/dtd/widget-common.xsd > ofbiz/trunk/framework/widget/src/main/java/org/apache/ > ofbiz/widget/renderer/macro/MacroFormRenderer.java > > Modified: ofbiz/trunk/applications/content/widget/compdoc/ > CompDocTemplateTree.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > content/widget/compdoc/CompDocTemplateTree.xml?rev= > 1781366&r1=1781365&r2=1781366&view=diff > ============================================================ > ================== > --- ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml > (original) > +++ ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml > Thu Feb 2 10:33:59 2017 > @@ -22,7 +22,7 @@ under the License. > <tree name="CompDocTemplateTree" entity-name="Content" > root-node-name="node-root" > default-render-style="simple" default-wrap-style="treeWrapper"> > <node name="node-root" wrap-style="treeWrapper"> > - <entity-one entity-name="Content" use-cache="false"> > + <entity-one entity-name="Content" value-field="content" > use-cache="false"> > <field-map field-name="contentId" > from-field="rootContentId"/> > </entity-one> > <include-screen name="rootTemplateLine" > location="component://content/widget/compdoc/CompDocScreens.xml"/> > @@ -54,7 +54,7 @@ under the License. > </sub-node> > </node> > <node name="node-body" join-field-name="itemContentId" > entity-name="AssocRevisionItemView" wrap-style="treeWrapper"> > - <entity-one entity-name="Content" use-cache="false"> > + <entity-one entity-name="Content" value-field="content" > use-cache="false"> > <field-map field-name="contentId" > from-field="itemContentId"/> > </entity-one> > <include-screen name="childTemplateLine" > location="component://content/widget/compdoc/CompDocScreens.xml"/> > @@ -90,7 +90,7 @@ under the License. > <tree name="CompDocInstanceTree" entity-name="Content" > root-node-name="node-root" > default-render-style="simple" default-wrap-style="treeWrapper"> > <node name="node-root"> > - <entity-one entity-name="Content" use-cache="false"> > + <entity-one entity-name="Content" value-field="content" > use-cache="false"> > <field-map field-name="contentId" > from-field="instanceContent.instanceOfContentId"/> > </entity-one> > <include-screen name="rootInstanceLine" > location="component://content/widget/compdoc/CompDocScreens.xml"/> > @@ -122,7 +122,7 @@ under the License. > </sub-node> > </node> > <node name="node-body" join-field-name="itemContentId" > entity-name="AssocRevisionItemView"> > - <entity-one entity-name="Content" use-cache="false"> > + <entity-one entity-name="Content" value-field="content" > use-cache="false"> > <field-map field-name="contentId" > from-field="itemContentId"/> > </entity-one> > <include-screen name="childInstanceLine" > location="component://content/widget/compdoc/CompDocScreens.xml"/> > > Modified: ofbiz/trunk/applications/content/widget/content/ContentForms.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > content/widget/content/ContentForms.xml?rev=1781366& > r1=1781365&r2=1781366&view=diff > ============================================================ > ================== > --- ofbiz/trunk/applications/content/widget/content/ContentForms.xml > (original) > +++ ofbiz/trunk/applications/content/widget/content/ContentForms.xml Thu > Feb 2 10:33:59 2017 > @@ -230,9 +230,9 @@ under the License. > </form> > <!-- ContentAssoc forms --> > <form name="EditContentAssoc" target="updateContentAssoc" title="" > type="single" > - header-row-style="header-row" default-table-style="basic-table"> > + header-row-style="header-row" default-table-style="basic-table" > default-entity-name="contentAssocX"> > <actions> > - <entity-one entity-name="ContentAssoc" use-cache="true"> > + <entity-one entity-name="ContentAssoc" use-cache="true" > value-field="contentAssoc"> > <field-map field-name="contentId" from-field="contentId"/> > <field-map field-name="contentIdTo" > from-field="contentIdTo"/> > <field-map field-name="contentAssocTypeId" from-field=" > contentAssocTypeId"/> > > Modified: ofbiz/trunk/applications/product/template/Main.ftl > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > product/template/Main.ftl?rev=1781366&r1=1781365&r2=1781366&view=diff > ============================================================ > ================== > --- ofbiz/trunk/applications/product/template/Main.ftl (original) > +++ ofbiz/trunk/applications/product/template/Main.ftl Thu Feb 2 > 10:33:59 2017 > @@ -29,6 +29,8 @@ under the License. > </form> > <div class="label">${uiLabelMap.CommonOr}: <a href="<@ofbizUrl>EditProdCatalog</@ofbizUrl>" > class="buttontext">${uiLabelMap.ProductCreateNewCatalog}</a></div> > <br /> > +<p>Output format: ${.output_format} > +<p>Auto-escaping: ${.auto_esc?c} > <div class="label">${uiLabelMap.ProductEditCategoryWithCategor > yId}:</div> > <form method="post" action="<@ofbizUrl>EditCategory</@ofbizUrl>" > style="margin: 0;" name="EditCategoryForm"> > <@htmlTemplate.lookupField name="productCategoryId" > id="productCategoryId" formName="EditCategoryForm" fieldFormName=" > LookupProductCategory"/> > > Modified: ofbiz/trunk/applications/product/template/store/ > EditProductStoreWebSites.ftl > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > product/template/store/EditProductStoreWebSites.ftl? > rev=1781366&r1=1781365&r2=1781366&view=diff > ============================================================ > ================== > --- ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl > (original) > +++ ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl > Thu Feb 2 10:33:59 2017 > @@ -37,12 +37,7 @@ under the License. > <td>${webSite.httpHost?default(' ')}</td> > <td>${webSite.httpPort?default(' ')}</td> > <td align="center"> > - <a href="javascript:document. > storeUpdateWebSite_${webSite_index}.submit();" class="buttontext">${ > uiLabelMap.CommonDelete}</a> > - <form name="storeUpdateWebSite_${webSite_index}" > method="post" action="<@ofbizUrl>storeUpdateWebSite</@ofbizUrl>"> > - <input type="hidden" name="viewProductStoreId" > value="${productStoreId}"/> > - <input type="hidden" name="productStoreId" > value=""/> > - <input type="hidden" name="webSiteId" > value="${webSite.webSiteId}"/> > - </form> > + <a href="<@ofbizUrl>storeUpdateWebSite? > viewProductStoreId=${productStoreId}&productStoreId=&webSiteId=${ > webSite.webSiteId}</@ofbizUrl>" class="buttontext">${ > uiLabelMap.CommonDelete}</a> > </td> > </tr> > <#-- toggle the row color --> > > Added: ofbiz/trunk/applications/product/webapp/catalog/WEB- > INF/Owasp.CsrfGuard.js > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js?rev=1781366&view=auto > ============================================================ > ================== > --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js > (added) > +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js > Thu Feb 2 10:33:59 2017 > @@ -0,0 +1,447 @@ > +/** > + * The OWASP CSRFGuard Project, BSD License > + * Eric Sheridan ([hidden email]), Copyright (c) 2011 > + * All rights reserved. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions are > met: > + * > + * 1. Redistributions of source code must retain the above copyright > notice, > + * this list of conditions and the following disclaimer. > + * 2. Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in > the > + * documentation and/or other materials provided with the > distribution. > + * 3. Neither the name of OWASP nor the names of its contributors may > be used > + * to endorse or promote products derived from this software > without specific > + * prior written permission. > + * > + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > "AS IS" > + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, > THE > + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR > PURPOSE > + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS > BE LIABLE > + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR > CONSEQUENTIAL DAMAGES > + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR > SERVICES; > + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER > CAUSED AND ON > + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > OF THIS > + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + */ > +(function() { > + /** > + * Code to ensure our event always gets triggered when the DOM is > updated. > + * @param obj > + * @param type > + * @param fn > + * @source http://www.dustindiaz.com/rock-solid-addevent/ > + */ > + function addEvent( obj, type, fn ) { > + if (obj.addEventListener) { > + obj.addEventListener( type, fn, false ); > + EventCache.add(obj, type, fn); > + } > + else if (obj.attachEvent) { > + obj["e"+type+fn] = fn; > + obj[type+fn] = function() { obj["e"+type+fn]( window.event ); > } > + obj.attachEvent( "on"+type, obj[type+fn] ); > + EventCache.add(obj, type, fn); > + } > + else { > + obj["on"+type] = obj["e"+type+fn]; > + } > + } > + > + var EventCache = function(){ > + var listEvents = []; > + return { > + listEvents : listEvents, > + add : function(node, sEventName, fHandler){ > + listEvents.push(arguments); > + }, > + flush : function(){ > + var i, item; > + for(i = listEvents.length - 1; i >= 0; i = i - 1){ > + item = listEvents[i]; > + if(item[0].removeEventListener){ > + item[0].removeEventListener(item[1], item[2], > item[3]); > + }; > + if(item[1].substring(0, 2) != "on"){ > + item[1] = "on" + item[1]; > + }; > + if(item[0].detachEvent){ > + item[0].detachEvent(item[1], item[2]); > + }; > + }; > + } > + }; > + }(); > + > + /** string utility functions **/ > + String.prototype.startsWith = function(prefix) { > + return this.indexOf(prefix) === 0; > + }; > + > + String.prototype.endsWith = function(suffix) { > + return this.match(suffix+"$") == suffix; > + }; > + > + /** hook using standards based prototype **/ > + function hijackStandard() { > + XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open; > + XMLHttpRequest.prototype.open = function(method, url, async, > user, pass) { > + this.url = url; > + > + this._open.apply(this, arguments); > + }; > + > + XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send; > + XMLHttpRequest.prototype.send = function(data) { > + if(this.onsend != null) { > + this.onsend.apply(this, arguments); > + } > + > + this._send.apply(this, arguments); > + }; > + } > + > + /** ie does not properly support prototype - wrap completely **/ > + function hijackExplorer() { > + var _XMLHttpRequest = window.XMLHttpRequest; > + > + function alloc_XMLHttpRequest() { > + this.base = _XMLHttpRequest ? new _XMLHttpRequest : new > window.ActiveXObject("Microsoft.XMLHTTP"); > + } > + > + function init_XMLHttpRequest() { > + return new alloc_XMLHttpRequest; > + } > + > + init_XMLHttpRequest.prototype = alloc_XMLHttpRequest.prototype; > + > + /** constants **/ > + init_XMLHttpRequest.UNSENT = 0; > + init_XMLHttpRequest.OPENED = 1; > + init_XMLHttpRequest.HEADERS_RECEIVED = 2; > + init_XMLHttpRequest.LOADING = 3; > + init_XMLHttpRequest.DONE = 4; > + > + /** properties **/ > + init_XMLHttpRequest.prototype.status = 0; > + init_XMLHttpRequest.prototype.statusText = ""; > + init_XMLHttpRequest.prototype.readyState = > init_XMLHttpRequest.UNSENT; > + init_XMLHttpRequest.prototype.responseText = ""; > + init_XMLHttpRequest.prototype.responseXML = null; > + init_XMLHttpRequest.prototype.onsend = null; > + > + init_XMLHttpRequest.url = null; > + init_XMLHttpRequest.onreadystatechange = null; > + > + /** methods **/ > + init_XMLHttpRequest.prototype.open = function(method, url, > async, user, pass) { > + var self = this; > + this.url = url; > + > + this.base.onreadystatechange = function() { > + try { self.status = self.base.status; } catch (e) { } > + try { self.statusText = self.base.statusText; } catch (e) > { } > + try { self.readyState = self.base.readyState; } catch (e) > { } > + try { self.responseText = self.base.responseText; } > catch(e) { } > + try { self.responseXML = self.base.responseXML; } > catch(e) { } > + > + if(self.onreadystatechange != null) { > + self.onreadystatechange.apply(this, arguments); > + } > + } > + > + this.base.open(method, url, async, user, pass); > + }; > + > + init_XMLHttpRequest.prototype.send = function(data) { > + if(this.onsend != null) { > + this.onsend.apply(this, arguments); > + } > + > + this.base.send(data); > + }; > + > + init_XMLHttpRequest.prototype.abort = function() { > + this.base.abort(); > + }; > + > + init_XMLHttpRequest.prototype.getAllResponseHeaders = function() > { > + return this.base.getAllResponseHeaders(); > + }; > + > + init_XMLHttpRequest.prototype.getResponseHeader = function(name) > { > + return this.base.getResponseHeader(name); > + }; > + > + init_XMLHttpRequest.prototype.setRequestHeader = function(name, > value) { > + return this.base.setRequestHeader(name, value); > + }; > + > + /** hook **/ > + window.XMLHttpRequest = init_XMLHttpRequest; > + } > + > + /** check if valid domain based on domainStrict **/ > + function isValidDomain(current, target) { > + var result = false; > + > + /** check exact or subdomain match **/ > + if(current == target) { > + result = true; > + } else if(%DOMAIN_STRICT% == false) { > + if(target.charAt(0) == '.') { > + result = current.endsWith(target); > + } else { > + result = current.endsWith('.' + target); > + } > + } > + > + return result; > + } > + > + /** determine if uri/url points to valid domain **/ > + function isValidUrl(src) { > + var result = false; > + > + /** parse out domain to make sure it points to our own **/ > + if(src.substring(0, 7) == "http://" || src.substring(0, 8) == > "https://") { > + var token = "://"; > + var index = src.indexOf(token); > + var part = src.substring(index + token.length); > + var domain = ""; > + > + /** parse up to end, first slash, or anchor **/ > + for(var i=0; i<part.length; i++) { > + var character = part.charAt(i); > + > + if(character == '/' || character == ':' || character == > '#') { > + break; > + } else { > + domain += character; > + } > + } > + > + result = isValidDomain(document.domain, domain); > + /** explicitly skip anchors **/ > + } else if(src.charAt(0) == '#') { > + result = false; > + /** ensure it is a local resource without a protocol **/ > + } else if(!src.startsWith("//") && (src.charAt(0) == '/' || > src.indexOf(':') == -1)) { > + result = true; > + } > + > + return result; > + } > + > + /** parse uri from url **/ > + function parseUri(url) { > + var uri = ""; > + var token = "://"; > + var index = url.indexOf(token); > + var part = ""; > + > + /** > + * ensure to skip protocol and prepend context path for > non-qualified > + * resources (ex: "protect.html" vs > + * "/Owasp.CsrfGuard.Test/protect.html"). > + */ > + if(index > 0) { > + part = url.substring(index + token.length); > + } else if(url.charAt(0) != '/') { > + part = "%CONTEXT_PATH%/" + url; > + } else { > + part = url; > + } > + > + /** parse up to end or query string **/ > + var uriContext = (index == -1); > + > + for(var i=0; i<part.length; i++) { > + var character = part.charAt(i); > + > + if(character == '/') { > + uriContext = true; > + } else if(uriContext == true && (character == '?' || > character == '#')) { > + uriContext = false; > + break; > + } > + > + if(uriContext == true) { > + uri += character; > + } > + } > + > + return uri; > + } > + > + /** inject tokens as hidden fields into forms **/ > + function injectTokenForm(form, tokenName, tokenValue, > pageTokens,injectGetForms) { > + > + if (!injectGetForms) { > + var method = form.getAttribute("method"); > + > + if ((typeof method != 'undefined') && method != null && > method.toLowerCase() == "get") { > + return; > + } > + } > + > + var value = tokenValue; > + var action = form.getAttribute("action"); > + > + if(action != null && isValidUrl(action)) { > + var uri = parseUri(action); > + value = pageTokens[uri] != null ? pageTokens[uri] : > tokenValue; > + } > + > + var hidden = document.createElement("input"); > + > + hidden.setAttribute("type", "hidden"); > + hidden.setAttribute("name", tokenName); > + hidden.setAttribute("value", value); > + > + form.appendChild(hidden); > + } > + > + /** inject tokens as query string parameters into url **/ > + function injectTokenAttribute(element, attr, tokenName, tokenValue, > pageTokens) { > + var location = element.getAttribute(attr); > + > + if(location != null && isValidUrl(location)) { > + var uri = parseUri(location); > + var value = (pageTokens[uri] != null ? pageTokens[uri] : > tokenValue); > + > + if(location.indexOf('?') != -1) { > + location = location + '&' + tokenName + '=' + value; > + } else { > + location = location + '?' + tokenName + '=' + value; > + } > + > + try { > + element.setAttribute(attr, location); > + } catch (e) { > + // attempted to set/update unsupported attribute > + } > + } > + } > + > + /** inject csrf prevention tokens throughout dom **/ > + function injectTokens(tokenName, tokenValue) { > + /** obtain reference to page tokens if enabled **/ > + var pageTokens = {}; > + > + if(%TOKENS_PER_PAGE% == true) { > + pageTokens = requestPageTokens(); > + } > + > + /** iterate over all elements and injection token **/ > + var all = document.all ? document.all : > document.getElementsByTagName('*'); > + var len = all.length; > + > + //these are read from the csrf guard config file(s) > + var injectForms = %INJECT_FORMS%; > + var injectGetForms = %INJECT_GET_FORMS%; > + var injectFormAttributes = %INJECT_FORM_ATTRIBUTES%; > + var injectAttributes = %INJECT_ATTRIBUTES%; > + > + for(var i=0; i<len; i++) { > + var element = all[i]; > + > + /** inject into form **/ > + if(element.tagName.toLowerCase() == "form") { > + if(injectForms) { > + injectTokenForm(element, tokenName, tokenValue, > pageTokens,injectGetForms); > + } > + if (injectFormAttributes) { > + injectTokenAttribute(element, "action", tokenName, > tokenValue, pageTokens); > + } > + /** inject into attribute **/ > + } else if(injectAttributes) { > + injectTokenAttribute(element, "src", tokenName, > tokenValue, pageTokens); > + injectTokenAttribute(element, "href", tokenName, > tokenValue, pageTokens); > + } > + } > + } > + > + /** obtain array of page specific tokens **/ > + function requestPageTokens() { > + var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new > window.ActiveXObject("Microsoft.XMLHTTP"); > + var pageTokens = {}; > + > + xhr.open("POST", "%SERVLET_PATH%", false); > + xhr.send(null); > + > + var text = xhr.responseText; > + var name = ""; > + var value = ""; > + var nameContext = true; > + > + for(var i=0; i<text.length; i++) { > + var character = text.charAt(i); > + > + if(character == ':') { > + nameContext = false; > + } else if(character != ',') { > + if(nameContext == true) { > + name += character; > + } else { > + value += character; > + } > + } > + > + if(character == ',' || (i + 1) >= text.length) { > + pageTokens[name] = value; > + name = ""; > + value = ""; > + nameContext = true; > + } > + } > + > + return pageTokens; > + } > + > + /** > + * Only inject the tokens if the JavaScript was referenced from HTML > that > + * was served by us. Otherwise, the code was referenced from > malicious HTML > + * which may be trying to steal tokens using JavaScript hijacking > techniques. > + * The token is now removed and fetched using another POST request to > solve, > + * the token hijacking problem. > + */ > + if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) { > + /** optionally include Ajax support **/ > + if(%INJECT_XHR% == true) { > + if(navigator.appName == "Microsoft Internet Explorer") { > + hijackExplorer(); > + } else { > + hijackStandard(); > + } > + > + var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new > window.ActiveXObject("Microsoft.XMLHTTP"); > + var csrfToken = {}; > + xhr.open("POST", "%SERVLET_PATH%", false); > + xhr.setRequestHeader("FETCH-CSRF-TOKEN", "1"); > + xhr.send(null); > + > + var token_pair = xhr.responseText; > + token_pair = token_pair.split(":"); > + var token_name = token_pair[0]; > + var token_value = token_pair[1]; > + > + XMLHttpRequest.prototype.onsend = function(data) { > + if(isValidUrl(this.url)) { > + this.setRequestHeader("X-Requested-With", > "XMLHttpRequest") > + this.setRequestHeader(token_name, token_value); > + } > + }; > + } > + > + /** update nodes in DOM after load **/ > + addEvent(window,'unload',EventCache.flush); > + addEvent(window,'DOMContentLoaded', function() { > + injectTokens(token_name, token_value); > + }); > + } else { > + alert("OWASP CSRFGuard JavaScript was included from within an > unauthorized domain!"); > + } > +})(); > > Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- > INF/Owasp.CsrfGuard.js > ------------------------------------------------------------ > ------------------ > svn:eol-style = native > > Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- > INF/Owasp.CsrfGuard.js > ------------------------------------------------------------ > ------------------ > svn:keywords = Date Rev Author URL Id > > Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- > INF/Owasp.CsrfGuard.js > ------------------------------------------------------------ > ------------------ > svn:mime-type = text/plain > > Added: ofbiz/trunk/applications/product/webapp/catalog/WEB- > INF/Owasp.CsrfGuard.properties > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > product/webapp/catalog/WEB-INF/Owasp.CsrfGuard. > properties?rev=1781366&view=auto > ============================================================ > ================== > --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties > (added) > +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties > Thu Feb 2 10:33:59 2017 > @@ -0,0 +1,417 @@ > +# The OWASP CSRFGuard Project, BSD License > +# Eric Sheridan ([hidden email]), Copyright (c) 2011 > +# All rights reserved. > +# > +# Redistribution and use in source and binary forms, with or without > +# modification, are permitted provided that the following conditions are > met: > +# > +# 1. Redistributions of source code must retain the above copyright > notice, > +# this list of conditions and the following disclaimer. > +# 2. Redistributions in binary form must reproduce the above copyright > +# notice, this list of conditions and the following disclaimer in the > +# documentation and/or other materials provided with the distribution. > +# 3. Neither the name of OWASP nor the names of its contributors may be > used > +# to endorse or promote products derived from this software without > specific > +# prior written permission. > +# > +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS > IS" > +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, > THE > +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR > PURPOSE > +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS > BE LIABLE > +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR > CONSEQUENTIAL DAMAGES > +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR > SERVICES; > +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED > AND ON > +# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > OF THIS > +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + > +# From: https://github.com/esheri3/OWASP-CSRFGuard/blob/master/ > csrfguard-test/src/main/webapp/WEB-INF/csrfguard.properties > + > +# Common substitutions > +# %servletContext% is the servlet context (e.g. the configured app > prefix or war file name, or blank. > +# e.g. if you deploy a default warfile as someApp.war, then > %servletContext% will be /someApp > +# if there isnt a context it will be the empty string. So to use this in > the configuration, use e.g. %servletContext%/something.html > +# which will translate to e.g. /someApp/something.html > + > +# Logger > +# > +# The logger property (org.owasp.csrfguard.Logger) defines the qualified > class name of > +# the object responsible for processing all log messages produced by > CSRFGuard. The default > +# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class > logs all messages > +# to System.out which JavaEE application servers redirect to a vendor > specific log file. > +# Developers can customize the logging behavior of CSRFGuard by > implementing the > +# org.owasp.csrfguard.log.ILogger interface and setting the logger > property to the new > +# logger's qualified class name. The following configuration snippet > instructs OWASP CSRFGuard > +# to capture all log messages to the console: > +# > +# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger > +org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger > + > +# Which configuration provider factory you want to use. The default is > org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory > +# Another configuration provider has more features including config > overlays: org.owasp.csrfguard.config.overlay. > ConfigurationOverlayProviderFactory > +# The default configuration provider is: org.owasp.csrfguard.config. > overlay.ConfigurationAutodetectProviderFactory > +# which will look for an overlay file, it is there, and the factory > inside that file is set it will use it, otherwise will be > PropertiesConfigurationProviderFactory > +# it needs to implement org.owasp.csrfguard.config. > ConfigurationProviderFactory > +org.owasp.csrfguard.configuration.provider.factory = > org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory > + > + > +# If csrfguard filter is enabled > +org.owasp.csrfguard.Enabled = false > + > +# If csrf guard filter should check even if there is no session for the > user > +# Note: this changed around 2014/04, the default behavior used to be to > +# not check if there is no session. If you want the legacy behavior (if > your app > +# is not susceptible to CSRF if the user has no session), set this to > false > +org.owasp.csrfguard.ValidateWhenNoSessionExists = true > + > +# New Token Landing Page > +# > +# The new token landing page property (org.owasp.csrfguard.NewTokenLandingPage) > defines where > +# to send a user if the token is being generated for the first time, and > the use new token landing > +# page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage) > determines if any redirect happens. > +# UseNewTokenLandingPage defaults to false if NewTokenLandingPage is not > specified, and to true > +# if it is specified.. If UseNewTokenLandingPage is set true then this > request is generated > +# using auto-posting forms and will only contain the CSRF prevention > token parameter, if > +# applicable. All query-string or form parameters sent with the original > request will be > +# discarded. If this property is not defined, CSRFGuard will instead > auto-post the user to the > +# original context and servlet path. The following configuration snippet > instructs OWASP CSRFGuard to > +# redirect the user to %servletContext%/index.html when the user visits a > protected resource > +# without having a corresponding CSRF token present in the HttpSession > object: > +# > +org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/control/login/* > + > +# Protected Methods > +# > +# The protected methods property (org.owasp.csrfguard.ProtectedMethods) > defines a comma > +# separated list of HTTP request methods that should be protected by > CSRFGuard. The default > +# list is an empty list which will cause all HTTP methods to be > protected, thus preserving > +# legacy behavior. This setting allows the user to inform CSRFGuard that > only requests of the > +# given types should be considered for protection. All HTTP methods not > in the list will be > +# considered safe (i.e. view only / unable to modify data). This should > be used only when the > +# user has concrete knowledge that all requests made via methods not in > the list > +# are safe (i.e. do not apply an action to any data) since it can > actually introduce new > +# security vulnerabilities. For example: the user thinks that all > actionable requests are > +# only available by POST requests when in fact some are available via GET > requests. If the > +# user has excluded GET requests from the list then they have introduced > a vulnerability. > +# The following configuration snippet instructs OWASP CSRFGuard to > protect only the POST, > +# PUT, and DELETE HTTP methods. > +# > +# org.owasp.csrfguard.ProtectedMethods=POST,PUT,DELETE > + > +# or you can configure all to be protected, and specify which is > unprotected. This is the preferred approach > + > +# org.owasp.csrfguard.UnprotectedMethods=GET > + > +# Unique Per-Page Tokens > +# > +# The unique token per-page property (org.owasp.csrfguard.TokenPerPage) > is a boolean value that > +# determines if CSRFGuard should make use of unique per-page (i.e. URI) > prevention tokens as > +# opposed to unique per-session prevention tokens. When a user requests a > protected resource, > +# CSRFGuard will determine if a page specific token has been previously > generated. If a page > +# specific token has not yet been previously generated, CSRFGuard will > verify the request was > +# submitted with the per-session token intact. After verifying the > presence of the per-session token, > +# CSRFGuard will create a page specific token that is required for all > subsequent requests to the > +# associated resource. The per-session CSRF token can only be used when > requesting a resource for > +# the first time. All subsequent requests must have the per-page token > intact or the request will > +# be treated as a CSRF attack. This behavior can be changed with the > org.owasp.csrfguard.TokenPerPagePrecreate > +# property. Enabling this property will make CSRFGuard calculate the per > page token prior to a first > +# visit. This option only works with JSTL token injection and is useful > for preserving the validity of > +# links if the user pushes the back button. There may be a performance > impact when enabling this option > +# if the .jsp has a large number of proctected links that need tokens to > be calculated. > +# Use of the unique token per page property is currently experimental > +# but provides a significant amount of improved security. Consider the > exposure of a CSRF token using > +# the legacy unique per-session model. Exposure of this token facilitates > the attacker's ability to > +# carry out a CSRF attack against the victim's active session for any > resource exposed by the web > +# application. Now consider the exposure of a CSRF token using the > experimental unique token per-page > +# model. Exposure of this token would only allow the attacker to carry > out a CSRF attack against the > +# victim's active session for a small subset of resources exposed by the > web application. Use of the > +# unique token per-page property is a strong defense in depth strategy > significantly reducing the > +# impact of exposed CSRF prevention tokens. The following configuration > snippet instructs OWASP > +# CSRFGuard to utilize the unique token per-page model: > +# > +# org.owasp.csrfguard.TokenPerPage=true > +# org.owasp.csrfguard.TokenPerPagePrecreate=false > +org.owasp.csrfguard.TokenPerPage=true > +org.owasp.csrfguard.TokenPerPagePrecreate=false > + > +# Token Rotation > +# > +# The rotate token property (org.owasp.csrfguard.Rotate) is a boolean > value that determines if > +# CSRFGuard should generate and utilize a new token after verifying the > previous token. Rotation > +# helps minimize the window of opportunity an attacker has to leverage > the victim's stolen token > +# in a targeted CSRF attack. However, this functionality generally causes > navigation problems in > +# most applications. Specifically, the 'Back' button in the browser will > often cease to function > +# properly. When a user hits the 'Back' button and interacts with the > HTML, the browser may submit > +# an old token causing CSRFGuard to incorrectly believe this request is a > CSRF attack in progress > +# (i.e. a 'false positive'). Users can prevent this scenario by > preventing the caching of HTML pages > +# containing FORM submissions using the cache-control header. However, > this may also introduce > +# performance problems as the browser will have to request HTML on a more > frequent basis. The following > +# configuration snippet enables token rotation: > +# > +# org.owasp.csrfguard.Rotate=true > + > +# Ajax and XMLHttpRequest Support > +# > +# The Ajax property (org.owasp.csrfguard.Ajax) is a boolean value that > indicates whether or not OWASP > +# CSRFGuard should support the injection and verification of unique > per-session prevention tokens for > +# XMLHttpRequests. To leverage Ajax support, the user must not only set > this property to true but must > +# also reference the JavaScript DOM Manipulation code using a script > element. This dynamic script will > +# override the send method of the XMLHttpRequest object to ensure the > submission of an X-Requested-With > +# header name value pair coupled with the submission of a custom header > name value pair for each request. > +# The name of the custom header is the value of the token name property > and the value of the header is > +# always the unique per-session token value. This custom header is > analogous to the HTTP parameter name > +# value pairs submitted via traditional GET and POST requests. If the > X-Requested-With header was sent > +# in the HTTP request, then CSRFGuard will look for the presence and > ensure the validity of the unique > +# per-session token in the custom header name value pair. Note that > verification of these headers takes > +# precedence over verification of the CSRF token supplied as an HTTP > parameter. More specifically, > +# CSRFGuard does not verify the presence of the CSRF token if the Ajax > support property is enabled and > +# the corresponding X-Requested-With and custom headers are embedded > within the request. The following > +# configuration snippet instructs OWASP CSRFGuard to support Ajax > requests by verifying the presence and > +# correctness of the X-Requested-With and custom headers: > +# > +# org.owasp.csrfguard.Ajax=true > +org.owasp.csrfguard.Ajax=true > + > +# The default behavior of CSRFGuard is to protect all pages. Pages marked > as unprotected will not be protected. > +# If the Protect property is enabled, this behavior is reversed. Pages > must be marked as protected to be protected. > +# All other pages will not be protected. This is useful when the > CsrfGuardFilter is aggressively mapped (ex: /*), > +# but you only want to protect a few pages. > +# > +# org.owasp.csrfguard.Protect=true > + > +# Unprotected Pages: > +# > +# The unprotected pages property (org.owasp.csrfguard.unprotected.*) > defines a series of pages that > +# should not be protected by CSRFGuard. Such configurations are useful > when the CsrfGuardFilter is > +# aggressively mapped (ex: /*). The syntax of the property name is > org.owasp.csrfguard.unprotected.[PageName], > +# where PageName is some arbitrary identifier that can be used to > reference a resource. The syntax of > +# defining the uri of unprotected pages is the same as the syntax used by > the JavaEE container for uri mapping. > +# Specifically, CSRFGuard will identify the first match (if any) between > the requested uri and an unprotected > +# page in order of declaration. Match criteria is as follows: > +# > +# Case 1: exact match between request uri and unprotected page > +# Case 2: longest path prefix match, beginning / and ending /* > +# Case 3: extension match, beginning *. > +# Case 4: if the value starts with ^ and ends with $, it will be > evaulated as a regex. Note that before the > +# regex is compiled, any common variables will be substituted (e.g. > %servletContext%) > +# Default: requested resource must be validated by CSRFGuard > +# > +# The following code snippet illustrates the four use cases over four > examples. The first two examples > +# (Tag and JavaScriptServlet) look for direct URI matches. The third > example (Html) looks for all resources > +# ending in a .html extension. The next example (Public) looks for all > resources prefixed with the URI path /MySite/Public/*. > +# The last example looks for resources that end in Public.do > +# > +# org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp > +# org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/ > JavaScriptServlet > +# org.owasp.csrfguard.unprotected.Html=*.html > +# org.owasp.csrfguard.unprotected.Public=%servletContext%/Public/* > +# regex example starts with ^ and ends with $, and the %servletContext% > is evaluated before the regex > +# org.owasp.csrfguard.unprotected.PublicServlet=^% > servletContext%/.*Public\.do$ > + > +#org.owasp.csrfguard.unprotected.Default=%servletContext%/ > +#org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html > +org.owasp.csrfguard.unprotected.JavaScriptServlet= > %servletContext%/control/JavaScriptServlet > +#org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html > +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html > +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.jsp > +#org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html > +#org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript. > html > +#org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp > +#org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp > +#org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp > +#org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp > +org.owasp.csrfguard.unprotected.Session=%servletContext%/favicon.ico > +org.owasp.csrfguard.unprotected.Session=%servletContext%/control/login/* > +org.owasp.csrfguard.unprotected.Index=%servletContext%/index.jsp > + > +# Actions: Responding to Attacks > +# > +# The actions directive (org.owasp.csrfguard.action.*) gives the user the > ability to specify one or more > +# actions that should be invoked when a CSRF attack is detected. Every > action must implement the > +# org.owasp.csrfguard.action.IAction interface either directly or > indirectly through the > +# org.owasp.csrfguard.action.AbstractAction helper class. Many actions > accept parameters that can be specified > +# along with the action class declaration. These parameters are consumed > at runtime and impact the behavior of > +# the associated action. > +# > +# The syntax for defining and configuring CSRFGuard actions is relatively > straight forward. Let us assume we wish > +# to redirect the user to a default page when a CSRF attack is detected. > A redirect action already exists within > +# the CSRFGuard bundle and is available via the class name > org.owasp.csrfguard.actions.Redirect. In order to enable > +# this action, we capture the following declaration in the > Owasp.CsrfGuard.properties file: > +# > +# syntax: org.owasp.csrfguard.action.[actionName]=[className] > +# example: org.owasp.csrfguard.action.class.Redirect=org.owasp. > csrfguard.actions.Redirect > +# > +# The aforementioned directive declares an action called "Redirect" (i.e. > [actionName]) referencing the Java class > +# "org.owasp.csrfguard.actions.Redirect" (i.e. [className]). Anytime a > CSRF attack is detected, the Redirect action > +# will be executed. You may be asking yourself, "but how do I specify > where the user is redirected?"; this is where > +# action parameters come into play. In order to specify the redirect > location, we capture the following declaration > +# in the Owasp.CsrfGuard.properties file: > +# > +# syntax: org.owasp.csrfguard.action.[actionName].[parameterName]=[ > parameterValue] > +# example: org.owasp.csrfguard.action.Redirect.ErrorPage=% > servletContext%/error.html > +# > +# The aforementioned directive declares an action parameter called > "ErrorPage" (i.e. [parameterName]) with the value > +# of "%servletContext%/error.html" (i.e. [parameterValue]) for the action > "Redirect" (i.e. [actionName]). The > +# Redirect action expects the "ErrorPage" parameter to be defined and > will redirect the user to this location when > +# an attack is detected. > +# > +#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty > +org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log > +org.owasp.csrfguard.action.Log.Message=potential cross-site request > forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, > method:%request_method%, uri:%request_uri%, error:%exception_message%) > +#org.owasp.csrfguard.action.Invalidate=org.owasp. > csrfguard.action.Invalidate > +#org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect > +#org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html > +#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action. > RequestAttribute > +#org.owasp.csrfguard.action.RequestAttribute. > AttributeName=Owasp_CsrfGuard_Exception_Key > +#org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate > +org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action. > SessionAttribute > +org.owasp.csrfguard.action.SessionAttribute. > AttributeName=Owasp_CsrfGuard_Exception_Key > +#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error > +#org.owasp.csrfguard.action.Error.Code=403 > +#org.owasp.csrfguard.action.Error.Message=Security violation. > + > +# Token Name > +# > +# The token name property (org.owasp.csrfguard.TokenName) defines the > name of the HTTP parameter > +# to contain the value of the OWASP CSRFGuard token for each request. The > following configuration > +# snippet sets the CSRFGuard token parameter name to the value > OWASP_CSRFTOKEN: > +# > +# org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN > +org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN > + > +# Session Key > +# > +# The session key property (org.owasp.csrfguard.SessionKey) defines the > string literal used to save > +# and lookup the CSRFGuard token from the session. This value is used by > the filter and the tag > +# libraries to retrieve and set the token value in the session. > Developers can use this key to > +# programmatically lookup the token within their own code. The following > configuration snippet sets > +# the session key to the value OWASP_CSRFTOKEN: > +# > +# org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN > +org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN > + > +# Token Length > +# > +# The token length property (org.owasp.csrfguard.TokenLength) defines > the number of characters that > +# should be found within the CSRFGuard token. Note that characters are > delimited by dashes (-) in groups > +# of four. For cosmetic reasons, users are encourage to ensure the token > length is divisible by four. > +# The following configuration snippet sets the token length property to > 32 characters: > +# > +# org.owasp.csrfguard.TokenLength=32 > +org.owasp.csrfguard.TokenLength=32 > + > +# Pseudo-random Number Generator > +# > +# The pseudo-random number generator property (org.owasp.csrfguard.PRNG) > defines what PRNG should be used > +# to generate the OWASP CSRFGuard token. Always ensure this value > references a cryptographically strong > +# pseudo-random number generator algorithm. The following configuration > snippet sets the pseudo-random number > +# generator to SHA1PRNG: > +# > +# org.owasp.csrfguard.PRNG=SHA1PRNG > +org.owasp.csrfguard.PRNG=SHA1PRNG > + > +# Pseudo-random Number Generator Provider > + > +# The pseudo-random number generator provider property > (org.owasp.csrfguard.PRNG.Provider) defines which > +# provider's implementation of org.owasp.csrfguard.PRNG we should > utilize. The following configuration > +# snippet instructs the JVM to leverage SUN's implementation of the > algorithm denoted by the > +# org.owasp.csrfguard.PRNG property: > + > +# org.owasp.csrfguard.PRNG.Provider=SUN > +org.owasp.csrfguard.PRNG.Provider=SUN > + > +# If not specifying the print config option in the web.xml, you can > specify it here, to print the config > +# on startup > +org.owasp.csrfguard.Config.Print = true > + > +########################### > +## Javascript servlet settings if not set in web.xml > +## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection > +########################### > + > +# leave this blank and blank in web.xml and it will read from > META-INF/csrfguard.js from the jarfile > +# Denotes the location of the JavaScript template file that should be > consumed and dynamically > +# augmented by the JavaScriptServlet class. The default value is > WEB-INF/Owasp.CsrfGuard.js. > +# Use of this property and the existence of the specified template file > is required. > +#org.owasp.csrfguard.JavascriptServlet.sourceFile = > WEB-INF/Owasp.CsrfGuard.js > +org.owasp.csrfguard.JavascriptServlet.sourceFile = > WEB-INF/Owasp.CsrfGuard.js > + > +# Boolean value that determines whether or not the dynamic JavaScript > code should be strict > +# with regards to what links it should inject the CSRF prevention token. > With a value of true, > +# the JavaScript code will only place the token in links that point to > the same exact domain > +# from which the HTML originated. With a value of false, the JavaScript > code will place the > +# token in links that not only point to the same exact domain from which > the HTML originated, > +# but sub-domains as well. > +org.owasp.csrfguard.JavascriptServlet.domainStrict = true > + > +# Allows the developer to specify the value of the Cache-Control header > in the HTTP response > +# when serving the dynamic JavaScript file. The default value is private, > maxage=28800. > +# Caching of the dynamic JavaScript file is intended to minimize traffic > and improve performance. > +# Note that the Cache-Control header is always set to "no-store" when > either the "Rotate" > +# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties. > +org.owasp.csrfguard.JavascriptServlet.cacheControl = private, > maxage=28800 > + > +# Allows the developer to specify a regular expression describing the > required value of the > +# Referer header. Any attempts to access the servlet with a Referer > header that does not > +# match the captured expression is discarded. Inclusion of referer header > checking is to > +# help minimize the risk of JavaScript Hijacking attacks that attempt to > steal tokens from > +# the dynamically generated JavaScript. While the primary defenses > against JavaScript > +# Hijacking attacks are implemented within the dynamic JavaScript itself, > referer header > +# checking is implemented to achieve defense in depth. > +org.owasp.csrfguard.JavascriptServlet.refererPattern = .* > + > +# Similar to javascript servlet referer pattern, but this will make sure > the referer of the > +# javascript servlet matches the domain of the request. If there is no > referer (proxy strips it?) > +# then it will not fail. Generally this is a good idea to be true. > +org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true > + > +# Boolean value that determines whether or not the dynamic JavaScript > code should > +# inject the CSRF prevention token as a hidden field into HTML forms. The > default > +# value is true. Developers are strongly discouraged from disabling this > property > +# as most server-side state changing actions are triggered via a POST > request. > +org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true > + > +# if the token should be injected in GET forms (which will be on the URL) > +# if the HTTP method GET is unprotected, then this should likely be false > +org.owasp.csrfguard.JavascriptServlet.injectGetForms = true > + > +# if the token should be injected in the action in forms > +# note, if injectIntoForms is true, then this might not need to be true > +org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true > + > + > +# Boolean value that determines whether or not the dynamic JavaScript > code should > +# inject the CSRF prevention token in the query string of src and href > attributes. > +# Injecting the CSRF prevention token in a URL resource increases its > general risk > +# of exposure to unauthorized parties. However, most JavaEE web > applications respond > +# in the exact same manner to HTTP requests and their associated > parameters regardless > +# of the HTTP method. The risk associated with not protecting GET > requests in this > +# situation is perceived greater than the risk of exposing the token in > protected GET > +# requests. As a result, the default value of this attribute is set to > true. Developers > +# that are confident their server-side state changing controllers will > only respond to > +# POST requests (i.e. discarding GET requests) are strongly encouraged to > disable this property. > +org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true > + > + > +org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard > Project > + > +########################### > +## Config overlay settings if you have the provider above set to > ConfigurationOverlayProvider > +## This CSRF config provider uses Internet2 Configuration Overlays > (documented on Internet2 wiki) > +## By default the configuration is read from the > Owasp.CsrfGuard.properties > +## (which should not be edited), and the Owasp.CsrfGuard.overlay.properties > overlays > +## the base settings. See the Owasp.CsrfGuard.properties for the possible > +## settings that can be applied to the Owasp.CsrfGuard.overlay.properties > +########################### > + > +# comma separated config files that override each other (files on the > right override the left) > +# each should start with file: or classpath: > +# e.g. classpath:Owasp.CsrfGuard.properties, > file:c:/temp/myFile.properties > +org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properties, > classpath:Owasp.CsrfGuard.overlay.properties > + > +# seconds between checking to see if the config files are updated > +org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60 > + > + > +########################### > + > > Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- > INF/Owasp.CsrfGuard.properties > ------------------------------------------------------------ > ------------------ > svn:eol-style = native > > Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- > INF/Owasp.CsrfGuard.properties > ------------------------------------------------------------ > ------------------ > svn:keywords = Date Rev Author URL Id > > Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- > INF/Owasp.CsrfGuard.properties > ------------------------------------------------------------ > ------------------ > svn:mime-type = text/plain > > > |
Re: svn commit: r1781366 [1/3] - in /ofbiz/trunk: applications/content/widget/co
|
|
Hello Pranay,
Jacques reverted it just after, he did not commited it on purpose. Regards, Gil Le 02/02/2017 à 13:52, Pranay Pandey a écrit : > ?? > > Log: > Implemented: > Improved: > Documented: > Completed: > Reverted: > Fixed: > (OFBIZ-) > Explanation > Thanks: > > Best regards, > > Pranay Pandey > HotWax Systems > http://www.hotwaxsystems.com/ > > On Thu, Feb 2, 2017 at 4:03 PM, <[hidden email]> wrote: > >> Author: jleroux >> Date: Thu Feb 2 10:33:59 2017 >> New Revision: 1781366 >> >> URL: http://svn.apache.org/viewvc?rev=1781366&view=rev >> Log: >> Implemented: >> Improved: >> Documented: >> Completed: >> Reverted: >> Fixed: >> (OFBIZ-) >> Explanation >> Thanks: >> >> Added: >> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js >> (with props) >> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties >> (with props) >> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/controller - >> Copie.xml (with props) >> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/web - >> Copie.xml (with props) >> ofbiz/trunk/framework/webapp/config/requestHandler - >> Copie.properties (with props) >> ofbiz/trunk/themes/tomahawk/template/Header - Copie.ftl (with props) >> Modified: >> ofbiz/trunk/applications/content/widget/compdoc/ >> CompDocTemplateTree.xml >> ofbiz/trunk/applications/content/widget/content/ContentForms.xml >> ofbiz/trunk/applications/product/template/Main.ftl >> ofbiz/trunk/applications/product/template/store/ >> EditProductStoreWebSites.ftl >> ofbiz/trunk/framework/base/src/main/java/org/apache/ >> ofbiz/base/util/template/FreeMarkerWorker.java >> ofbiz/trunk/framework/minilang/src/main/java/org/ >> apache/ofbiz/minilang/method/entityops/EntityOne.java >> ofbiz/trunk/framework/widget/dtd/widget-common.xsd >> ofbiz/trunk/framework/widget/src/main/java/org/apache/ >> ofbiz/widget/renderer/macro/MacroFormRenderer.java >> >> Modified: ofbiz/trunk/applications/content/widget/compdoc/ >> CompDocTemplateTree.xml >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> content/widget/compdoc/CompDocTemplateTree.xml?rev= >> 1781366&r1=1781365&r2=1781366&view=diff >> ============================================================ >> ================== >> --- ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml >> (original) >> +++ ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml >> Thu Feb 2 10:33:59 2017 >> @@ -22,7 +22,7 @@ under the License. >> <tree name="CompDocTemplateTree" entity-name="Content" >> root-node-name="node-root" >> default-render-style="simple" default-wrap-style="treeWrapper"> >> <node name="node-root" wrap-style="treeWrapper"> >> - <entity-one entity-name="Content" use-cache="false"> >> + <entity-one entity-name="Content" value-field="content" >> use-cache="false"> >> <field-map field-name="contentId" >> from-field="rootContentId"/> >> </entity-one> >> <include-screen name="rootTemplateLine" >> location="component://content/widget/compdoc/CompDocScreens.xml"/> >> @@ -54,7 +54,7 @@ under the License. >> </sub-node> >> </node> >> <node name="node-body" join-field-name="itemContentId" >> entity-name="AssocRevisionItemView" wrap-style="treeWrapper"> >> - <entity-one entity-name="Content" use-cache="false"> >> + <entity-one entity-name="Content" value-field="content" >> use-cache="false"> >> <field-map field-name="contentId" >> from-field="itemContentId"/> >> </entity-one> >> <include-screen name="childTemplateLine" >> location="component://content/widget/compdoc/CompDocScreens.xml"/> >> @@ -90,7 +90,7 @@ under the License. >> <tree name="CompDocInstanceTree" entity-name="Content" >> root-node-name="node-root" >> default-render-style="simple" default-wrap-style="treeWrapper"> >> <node name="node-root"> >> - <entity-one entity-name="Content" use-cache="false"> >> + <entity-one entity-name="Content" value-field="content" >> use-cache="false"> >> <field-map field-name="contentId" >> from-field="instanceContent.instanceOfContentId"/> >> </entity-one> >> <include-screen name="rootInstanceLine" >> location="component://content/widget/compdoc/CompDocScreens.xml"/> >> @@ -122,7 +122,7 @@ under the License. >> </sub-node> >> </node> >> <node name="node-body" join-field-name="itemContentId" >> entity-name="AssocRevisionItemView"> >> - <entity-one entity-name="Content" use-cache="false"> >> + <entity-one entity-name="Content" value-field="content" >> use-cache="false"> >> <field-map field-name="contentId" >> from-field="itemContentId"/> >> </entity-one> >> <include-screen name="childInstanceLine" >> location="component://content/widget/compdoc/CompDocScreens.xml"/> >> >> Modified: ofbiz/trunk/applications/content/widget/content/ContentForms.xml >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> content/widget/content/ContentForms.xml?rev=1781366& >> r1=1781365&r2=1781366&view=diff >> ============================================================ >> ================== >> --- ofbiz/trunk/applications/content/widget/content/ContentForms.xml >> (original) >> +++ ofbiz/trunk/applications/content/widget/content/ContentForms.xml Thu >> Feb 2 10:33:59 2017 >> @@ -230,9 +230,9 @@ under the License. >> </form> >> <!-- ContentAssoc forms --> >> <form name="EditContentAssoc" target="updateContentAssoc" title="" >> type="single" >> - header-row-style="header-row" default-table-style="basic-table"> >> + header-row-style="header-row" default-table-style="basic-table" >> default-entity-name="contentAssocX"> >> <actions> >> - <entity-one entity-name="ContentAssoc" use-cache="true"> >> + <entity-one entity-name="ContentAssoc" use-cache="true" >> value-field="contentAssoc"> >> <field-map field-name="contentId" from-field="contentId"/> >> <field-map field-name="contentIdTo" >> from-field="contentIdTo"/> >> <field-map field-name="contentAssocTypeId" from-field=" >> contentAssocTypeId"/> >> >> Modified: ofbiz/trunk/applications/product/template/Main.ftl >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> product/template/Main.ftl?rev=1781366&r1=1781365&r2=1781366&view=diff >> ============================================================ >> ================== >> --- ofbiz/trunk/applications/product/template/Main.ftl (original) >> +++ ofbiz/trunk/applications/product/template/Main.ftl Thu Feb 2 >> 10:33:59 2017 >> @@ -29,6 +29,8 @@ under the License. >> </form> >> <div class="label">${uiLabelMap.CommonOr}: <a href="<@ofbizUrl>EditProdCatalog</@ofbizUrl>" >> class="buttontext">${uiLabelMap.ProductCreateNewCatalog}</a></div> >> <br /> >> +<p>Output format: ${.output_format} >> +<p>Auto-escaping: ${.auto_esc?c} >> <div class="label">${uiLabelMap.ProductEditCategoryWithCategor >> yId}:</div> >> <form method="post" action="<@ofbizUrl>EditCategory</@ofbizUrl>" >> style="margin: 0;" name="EditCategoryForm"> >> <@htmlTemplate.lookupField name="productCategoryId" >> id="productCategoryId" formName="EditCategoryForm" fieldFormName=" >> LookupProductCategory"/> >> >> Modified: ofbiz/trunk/applications/product/template/store/ >> EditProductStoreWebSites.ftl >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> product/template/store/EditProductStoreWebSites.ftl? >> rev=1781366&r1=1781365&r2=1781366&view=diff >> ============================================================ >> ================== >> --- ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl >> (original) >> +++ ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl >> Thu Feb 2 10:33:59 2017 >> @@ -37,12 +37,7 @@ under the License. >> <td>${webSite.httpHost?default(' ')}</td> >> <td>${webSite.httpPort?default(' ')}</td> >> <td align="center"> >> - <a href="javascript:document. >> storeUpdateWebSite_${webSite_index}.submit();" class="buttontext">${ >> uiLabelMap.CommonDelete}</a> >> - <form name="storeUpdateWebSite_${webSite_index}" >> method="post" action="<@ofbizUrl>storeUpdateWebSite</@ofbizUrl>"> >> - <input type="hidden" name="viewProductStoreId" >> value="${productStoreId}"/> >> - <input type="hidden" name="productStoreId" >> value=""/> >> - <input type="hidden" name="webSiteId" >> value="${webSite.webSiteId}"/> >> - </form> >> + <a href="<@ofbizUrl>storeUpdateWebSite? >> viewProductStoreId=${productStoreId}&productStoreId=&webSiteId=${ >> webSite.webSiteId}</@ofbizUrl>" class="buttontext">${ >> uiLabelMap.CommonDelete}</a> >> </td> >> </tr> >> <#-- toggle the row color --> >> >> Added: ofbiz/trunk/applications/product/webapp/catalog/WEB- >> INF/Owasp.CsrfGuard.js >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js?rev=1781366&view=auto >> ============================================================ >> ================== >> --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js >> (added) >> +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js >> Thu Feb 2 10:33:59 2017 >> @@ -0,0 +1,447 @@ >> +/** >> + * The OWASP CSRFGuard Project, BSD License >> + * Eric Sheridan ([hidden email]), Copyright (c) 2011 >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions are >> met: >> + * >> + * 1. Redistributions of source code must retain the above copyright >> notice, >> + * this list of conditions and the following disclaimer. >> + * 2. Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> the >> + * documentation and/or other materials provided with the >> distribution. >> + * 3. Neither the name of OWASP nor the names of its contributors may >> be used >> + * to endorse or promote products derived from this software >> without specific >> + * prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> "AS IS" >> + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, >> THE >> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR >> PURPOSE >> + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS >> BE LIABLE >> + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR >> CONSEQUENTIAL DAMAGES >> + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR >> SERVICES; >> + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER >> CAUSED AND ON >> + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> OF THIS >> + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> +(function() { >> + /** >> + * Code to ensure our event always gets triggered when the DOM is >> updated. >> + * @param obj >> + * @param type >> + * @param fn >> + * @source http://www.dustindiaz.com/rock-solid-addevent/ >> + */ >> + function addEvent( obj, type, fn ) { >> + if (obj.addEventListener) { >> + obj.addEventListener( type, fn, false ); >> + EventCache.add(obj, type, fn); >> + } >> + else if (obj.attachEvent) { >> + obj["e"+type+fn] = fn; >> + obj[type+fn] = function() { obj["e"+type+fn]( window.event ); >> } >> + obj.attachEvent( "on"+type, obj[type+fn] ); >> + EventCache.add(obj, type, fn); >> + } >> + else { >> + obj["on"+type] = obj["e"+type+fn]; >> + } >> + } >> + >> + var EventCache = function(){ >> + var listEvents = []; >> + return { >> + listEvents : listEvents, >> + add : function(node, sEventName, fHandler){ >> + listEvents.push(arguments); >> + }, >> + flush : function(){ >> + var i, item; >> + for(i = listEvents.length - 1; i >= 0; i = i - 1){ >> + item = listEvents[i]; >> + if(item[0].removeEventListener){ >> + item[0].removeEventListener(item[1], item[2], >> item[3]); >> + }; >> + if(item[1].substring(0, 2) != "on"){ >> + item[1] = "on" + item[1]; >> + }; >> + if(item[0].detachEvent){ >> + item[0].detachEvent(item[1], item[2]); >> + }; >> + }; >> + } >> + }; >> + }(); >> + >> + /** string utility functions **/ >> + String.prototype.startsWith = function(prefix) { >> + return this.indexOf(prefix) === 0; >> + }; >> + >> + String.prototype.endsWith = function(suffix) { >> + return this.match(suffix+"$") == suffix; >> + }; >> + >> + /** hook using standards based prototype **/ >> + function hijackStandard() { >> + XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open; >> + XMLHttpRequest.prototype.open = function(method, url, async, >> user, pass) { >> + this.url = url; >> + >> + this._open.apply(this, arguments); >> + }; >> + >> + XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send; >> + XMLHttpRequest.prototype.send = function(data) { >> + if(this.onsend != null) { >> + this.onsend.apply(this, arguments); >> + } >> + >> + this._send.apply(this, arguments); >> + }; >> + } >> + >> + /** ie does not properly support prototype - wrap completely **/ >> + function hijackExplorer() { >> + var _XMLHttpRequest = window.XMLHttpRequest; >> + >> + function alloc_XMLHttpRequest() { >> + this.base = _XMLHttpRequest ? new _XMLHttpRequest : new >> window.ActiveXObject("Microsoft.XMLHTTP"); >> + } >> + >> + function init_XMLHttpRequest() { >> + return new alloc_XMLHttpRequest; >> + } >> + >> + init_XMLHttpRequest.prototype = alloc_XMLHttpRequest.prototype; >> + >> + /** constants **/ >> + init_XMLHttpRequest.UNSENT = 0; >> + init_XMLHttpRequest.OPENED = 1; >> + init_XMLHttpRequest.HEADERS_RECEIVED = 2; >> + init_XMLHttpRequest.LOADING = 3; >> + init_XMLHttpRequest.DONE = 4; >> + >> + /** properties **/ >> + init_XMLHttpRequest.prototype.status = 0; >> + init_XMLHttpRequest.prototype.statusText = ""; >> + init_XMLHttpRequest.prototype.readyState = >> init_XMLHttpRequest.UNSENT; >> + init_XMLHttpRequest.prototype.responseText = ""; >> + init_XMLHttpRequest.prototype.responseXML = null; >> + init_XMLHttpRequest.prototype.onsend = null; >> + >> + init_XMLHttpRequest.url = null; >> + init_XMLHttpRequest.onreadystatechange = null; >> + >> + /** methods **/ >> + init_XMLHttpRequest.prototype.open = function(method, url, >> async, user, pass) { >> + var self = this; >> + this.url = url; >> + >> + this.base.onreadystatechange = function() { >> + try { self.status = self.base.status; } catch (e) { } >> + try { self.statusText = self.base.statusText; } catch (e) >> { } >> + try { self.readyState = self.base.readyState; } catch (e) >> { } >> + try { self.responseText = self.base.responseText; } >> catch(e) { } >> + try { self.responseXML = self.base.responseXML; } >> catch(e) { } >> + >> + if(self.onreadystatechange != null) { >> + self.onreadystatechange.apply(this, arguments); >> + } >> + } >> + >> + this.base.open(method, url, async, user, pass); >> + }; >> + >> + init_XMLHttpRequest.prototype.send = function(data) { >> + if(this.onsend != null) { >> + this.onsend.apply(this, arguments); >> + } >> + >> + this.base.send(data); >> + }; >> + >> + init_XMLHttpRequest.prototype.abort = function() { >> + this.base.abort(); >> + }; >> + >> + init_XMLHttpRequest.prototype.getAllResponseHeaders = function() >> { >> + return this.base.getAllResponseHeaders(); >> + }; >> + >> + init_XMLHttpRequest.prototype.getResponseHeader = function(name) >> { >> + return this.base.getResponseHeader(name); >> + }; >> + >> + init_XMLHttpRequest.prototype.setRequestHeader = function(name, >> value) { >> + return this.base.setRequestHeader(name, value); >> + }; >> + >> + /** hook **/ >> + window.XMLHttpRequest = init_XMLHttpRequest; >> + } >> + >> + /** check if valid domain based on domainStrict **/ >> + function isValidDomain(current, target) { >> + var result = false; >> + >> + /** check exact or subdomain match **/ >> + if(current == target) { >> + result = true; >> + } else if(%DOMAIN_STRICT% == false) { >> + if(target.charAt(0) == '.') { >> + result = current.endsWith(target); >> + } else { >> + result = current.endsWith('.' + target); >> + } >> + } >> + >> + return result; >> + } >> + >> + /** determine if uri/url points to valid domain **/ >> + function isValidUrl(src) { >> + var result = false; >> + >> + /** parse out domain to make sure it points to our own **/ >> + if(src.substring(0, 7) == "http://" || src.substring(0, 8) == >> "https://") { >> + var token = "://"; >> + var index = src.indexOf(token); >> + var part = src.substring(index + token.length); >> + var domain = ""; >> + >> + /** parse up to end, first slash, or anchor **/ >> + for(var i=0; i<part.length; i++) { >> + var character = part.charAt(i); >> + >> + if(character == '/' || character == ':' || character == >> '#') { >> + break; >> + } else { >> + domain += character; >> + } >> + } >> + >> + result = isValidDomain(document.domain, domain); >> + /** explicitly skip anchors **/ >> + } else if(src.charAt(0) == '#') { >> + result = false; >> + /** ensure it is a local resource without a protocol **/ >> + } else if(!src.startsWith("//") && (src.charAt(0) == '/' || >> src.indexOf(':') == -1)) { >> + result = true; >> + } >> + >> + return result; >> + } >> + >> + /** parse uri from url **/ >> + function parseUri(url) { >> + var uri = ""; >> + var token = "://"; >> + var index = url.indexOf(token); >> + var part = ""; >> + >> + /** >> + * ensure to skip protocol and prepend context path for >> non-qualified >> + * resources (ex: "protect.html" vs >> + * "/Owasp.CsrfGuard.Test/protect.html"). >> + */ >> + if(index > 0) { >> + part = url.substring(index + token.length); >> + } else if(url.charAt(0) != '/') { >> + part = "%CONTEXT_PATH%/" + url; >> + } else { >> + part = url; >> + } >> + >> + /** parse up to end or query string **/ >> + var uriContext = (index == -1); >> + >> + for(var i=0; i<part.length; i++) { >> + var character = part.charAt(i); >> + >> + if(character == '/') { >> + uriContext = true; >> + } else if(uriContext == true && (character == '?' || >> character == '#')) { >> + uriContext = false; >> + break; >> + } >> + >> + if(uriContext == true) { >> + uri += character; >> + } >> + } >> + >> + return uri; >> + } >> + >> + /** inject tokens as hidden fields into forms **/ >> + function injectTokenForm(form, tokenName, tokenValue, >> pageTokens,injectGetForms) { >> + >> + if (!injectGetForms) { >> + var method = form.getAttribute("method"); >> + >> + if ((typeof method != 'undefined') && method != null && >> method.toLowerCase() == "get") { >> + return; >> + } >> + } >> + >> + var value = tokenValue; >> + var action = form.getAttribute("action"); >> + >> + if(action != null && isValidUrl(action)) { >> + var uri = parseUri(action); >> + value = pageTokens[uri] != null ? pageTokens[uri] : >> tokenValue; >> + } >> + >> + var hidden = document.createElement("input"); >> + >> + hidden.setAttribute("type", "hidden"); >> + hidden.setAttribute("name", tokenName); >> + hidden.setAttribute("value", value); >> + >> + form.appendChild(hidden); >> + } >> + >> + /** inject tokens as query string parameters into url **/ >> + function injectTokenAttribute(element, attr, tokenName, tokenValue, >> pageTokens) { >> + var location = element.getAttribute(attr); >> + >> + if(location != null && isValidUrl(location)) { >> + var uri = parseUri(location); >> + var value = (pageTokens[uri] != null ? pageTokens[uri] : >> tokenValue); >> + >> + if(location.indexOf('?') != -1) { >> + location = location + '&' + tokenName + '=' + value; >> + } else { >> + location = location + '?' + tokenName + '=' + value; >> + } >> + >> + try { >> + element.setAttribute(attr, location); >> + } catch (e) { >> + // attempted to set/update unsupported attribute >> + } >> + } >> + } >> + >> + /** inject csrf prevention tokens throughout dom **/ >> + function injectTokens(tokenName, tokenValue) { >> + /** obtain reference to page tokens if enabled **/ >> + var pageTokens = {}; >> + >> + if(%TOKENS_PER_PAGE% == true) { >> + pageTokens = requestPageTokens(); >> + } >> + >> + /** iterate over all elements and injection token **/ >> + var all = document.all ? document.all : >> document.getElementsByTagName('*'); >> + var len = all.length; >> + >> + //these are read from the csrf guard config file(s) >> + var injectForms = %INJECT_FORMS%; >> + var injectGetForms = %INJECT_GET_FORMS%; >> + var injectFormAttributes = %INJECT_FORM_ATTRIBUTES%; >> + var injectAttributes = %INJECT_ATTRIBUTES%; >> + >> + for(var i=0; i<len; i++) { >> + var element = all[i]; >> + >> + /** inject into form **/ >> + if(element.tagName.toLowerCase() == "form") { >> + if(injectForms) { >> + injectTokenForm(element, tokenName, tokenValue, >> pageTokens,injectGetForms); >> + } >> + if (injectFormAttributes) { >> + injectTokenAttribute(element, "action", tokenName, >> tokenValue, pageTokens); >> + } >> + /** inject into attribute **/ >> + } else if(injectAttributes) { >> + injectTokenAttribute(element, "src", tokenName, >> tokenValue, pageTokens); >> + injectTokenAttribute(element, "href", tokenName, >> tokenValue, pageTokens); >> + } >> + } >> + } >> + >> + /** obtain array of page specific tokens **/ >> + function requestPageTokens() { >> + var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new >> window.ActiveXObject("Microsoft.XMLHTTP"); >> + var pageTokens = {}; >> + >> + xhr.open("POST", "%SERVLET_PATH%", false); >> + xhr.send(null); >> + >> + var text = xhr.responseText; >> + var name = ""; >> + var value = ""; >> + var nameContext = true; >> + >> + for(var i=0; i<text.length; i++) { >> + var character = text.charAt(i); >> + >> + if(character == ':') { >> + nameContext = false; >> + } else if(character != ',') { >> + if(nameContext == true) { >> + name += character; >> + } else { >> + value += character; >> + } >> + } >> + >> + if(character == ',' || (i + 1) >= text.length) { >> + pageTokens[name] = value; >> + name = ""; >> + value = ""; >> + nameContext = true; >> + } >> + } >> + >> + return pageTokens; >> + } >> + >> + /** >> + * Only inject the tokens if the JavaScript was referenced from HTML >> that >> + * was served by us. Otherwise, the code was referenced from >> malicious HTML >> + * which may be trying to steal tokens using JavaScript hijacking >> techniques. >> + * The token is now removed and fetched using another POST request to >> solve, >> + * the token hijacking problem. >> + */ >> + if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) { >> + /** optionally include Ajax support **/ >> + if(%INJECT_XHR% == true) { >> + if(navigator.appName == "Microsoft Internet Explorer") { >> + hijackExplorer(); >> + } else { >> + hijackStandard(); >> + } >> + >> + var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new >> window.ActiveXObject("Microsoft.XMLHTTP"); >> + var csrfToken = {}; >> + xhr.open("POST", "%SERVLET_PATH%", false); >> + xhr.setRequestHeader("FETCH-CSRF-TOKEN", "1"); >> + xhr.send(null); >> + >> + var token_pair = xhr.responseText; >> + token_pair = token_pair.split(":"); >> + var token_name = token_pair[0]; >> + var token_value = token_pair[1]; >> + >> + XMLHttpRequest.prototype.onsend = function(data) { >> + if(isValidUrl(this.url)) { >> + this.setRequestHeader("X-Requested-With", >> "XMLHttpRequest") >> + this.setRequestHeader(token_name, token_value); >> + } >> + }; >> + } >> + >> + /** update nodes in DOM after load **/ >> + addEvent(window,'unload',EventCache.flush); >> + addEvent(window,'DOMContentLoaded', function() { >> + injectTokens(token_name, token_value); >> + }); >> + } else { >> + alert("OWASP CSRFGuard JavaScript was included from within an >> unauthorized domain!"); >> + } >> +})(); >> >> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- >> INF/Owasp.CsrfGuard.js >> ------------------------------------------------------------ >> ------------------ >> svn:eol-style = native >> >> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- >> INF/Owasp.CsrfGuard.js >> ------------------------------------------------------------ >> ------------------ >> svn:keywords = Date Rev Author URL Id >> >> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- >> INF/Owasp.CsrfGuard.js >> ------------------------------------------------------------ >> ------------------ >> svn:mime-type = text/plain >> >> Added: ofbiz/trunk/applications/product/webapp/catalog/WEB- >> INF/Owasp.CsrfGuard.properties >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> product/webapp/catalog/WEB-INF/Owasp.CsrfGuard. >> properties?rev=1781366&view=auto >> ============================================================ >> ================== >> --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties >> (added) >> +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties >> Thu Feb 2 10:33:59 2017 >> @@ -0,0 +1,417 @@ >> +# The OWASP CSRFGuard Project, BSD License >> +# Eric Sheridan ([hidden email]), Copyright (c) 2011 >> +# All rights reserved. >> +# >> +# Redistribution and use in source and binary forms, with or without >> +# modification, are permitted provided that the following conditions are >> met: >> +# >> +# 1. Redistributions of source code must retain the above copyright >> notice, >> +# this list of conditions and the following disclaimer. >> +# 2. Redistributions in binary form must reproduce the above copyright >> +# notice, this list of conditions and the following disclaimer in the >> +# documentation and/or other materials provided with the distribution. >> +# 3. Neither the name of OWASP nor the names of its contributors may be >> used >> +# to endorse or promote products derived from this software without >> specific >> +# prior written permission. >> +# >> +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS >> IS" >> +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, >> THE >> +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR >> PURPOSE >> +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS >> BE LIABLE >> +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR >> CONSEQUENTIAL DAMAGES >> +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR >> SERVICES; >> +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED >> AND ON >> +# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> OF THIS >> +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + >> +# From: https://github.com/esheri3/OWASP-CSRFGuard/blob/master/ >> csrfguard-test/src/main/webapp/WEB-INF/csrfguard.properties >> + >> +# Common substitutions >> +# %servletContext% is the servlet context (e.g. the configured app >> prefix or war file name, or blank. >> +# e.g. if you deploy a default warfile as someApp.war, then >> %servletContext% will be /someApp >> +# if there isnt a context it will be the empty string. So to use this in >> the configuration, use e.g. %servletContext%/something.html >> +# which will translate to e.g. /someApp/something.html >> + >> +# Logger >> +# >> +# The logger property (org.owasp.csrfguard.Logger) defines the qualified >> class name of >> +# the object responsible for processing all log messages produced by >> CSRFGuard. The default >> +# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class >> logs all messages >> +# to System.out which JavaEE application servers redirect to a vendor >> specific log file. >> +# Developers can customize the logging behavior of CSRFGuard by >> implementing the >> +# org.owasp.csrfguard.log.ILogger interface and setting the logger >> property to the new >> +# logger's qualified class name. The following configuration snippet >> instructs OWASP CSRFGuard >> +# to capture all log messages to the console: >> +# >> +# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger >> +org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger >> + >> +# Which configuration provider factory you want to use. The default is >> org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory >> +# Another configuration provider has more features including config >> overlays: org.owasp.csrfguard.config.overlay. >> ConfigurationOverlayProviderFactory >> +# The default configuration provider is: org.owasp.csrfguard.config. >> overlay.ConfigurationAutodetectProviderFactory >> +# which will look for an overlay file, it is there, and the factory >> inside that file is set it will use it, otherwise will be >> PropertiesConfigurationProviderFactory >> +# it needs to implement org.owasp.csrfguard.config. >> ConfigurationProviderFactory >> +org.owasp.csrfguard.configuration.provider.factory = >> org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory >> + >> + >> +# If csrfguard filter is enabled >> +org.owasp.csrfguard.Enabled = false >> + >> +# If csrf guard filter should check even if there is no session for the >> user >> +# Note: this changed around 2014/04, the default behavior used to be to >> +# not check if there is no session. If you want the legacy behavior (if >> your app >> +# is not susceptible to CSRF if the user has no session), set this to >> false >> +org.owasp.csrfguard.ValidateWhenNoSessionExists = true >> + >> +# New Token Landing Page >> +# >> +# The new token landing page property (org.owasp.csrfguard.NewTokenLandingPage) >> defines where >> +# to send a user if the token is being generated for the first time, and >> the use new token landing >> +# page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage) >> determines if any redirect happens. >> +# UseNewTokenLandingPage defaults to false if NewTokenLandingPage is not >> specified, and to true >> +# if it is specified.. If UseNewTokenLandingPage is set true then this >> request is generated >> +# using auto-posting forms and will only contain the CSRF prevention >> token parameter, if >> +# applicable. All query-string or form parameters sent with the original >> request will be >> +# discarded. If this property is not defined, CSRFGuard will instead >> auto-post the user to the >> +# original context and servlet path. The following configuration snippet >> instructs OWASP CSRFGuard to >> +# redirect the user to %servletContext%/index.html when the user visits a >> protected resource >> +# without having a corresponding CSRF token present in the HttpSession >> object: >> +# >> +org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/control/login/* >> + >> +# Protected Methods >> +# >> +# The protected methods property (org.owasp.csrfguard.ProtectedMethods) >> defines a comma >> +# separated list of HTTP request methods that should be protected by >> CSRFGuard. The default >> +# list is an empty list which will cause all HTTP methods to be >> protected, thus preserving >> +# legacy behavior. This setting allows the user to inform CSRFGuard that >> only requests of the >> +# given types should be considered for protection. All HTTP methods not >> in the list will be >> +# considered safe (i.e. view only / unable to modify data). This should >> be used only when the >> +# user has concrete knowledge that all requests made via methods not in >> the list >> +# are safe (i.e. do not apply an action to any data) since it can >> actually introduce new >> +# security vulnerabilities. For example: the user thinks that all >> actionable requests are >> +# only available by POST requests when in fact some are available via GET >> requests. If the >> +# user has excluded GET requests from the list then they have introduced >> a vulnerability. >> +# The following configuration snippet instructs OWASP CSRFGuard to >> protect only the POST, >> +# PUT, and DELETE HTTP methods. >> +# >> +# org.owasp.csrfguard.ProtectedMethods=POST,PUT,DELETE >> + >> +# or you can configure all to be protected, and specify which is >> unprotected. This is the preferred approach >> + >> +# org.owasp.csrfguard.UnprotectedMethods=GET >> + >> +# Unique Per-Page Tokens >> +# >> +# The unique token per-page property (org.owasp.csrfguard.TokenPerPage) >> is a boolean value that >> +# determines if CSRFGuard should make use of unique per-page (i.e. URI) >> prevention tokens as >> +# opposed to unique per-session prevention tokens. When a user requests a >> protected resource, >> +# CSRFGuard will determine if a page specific token has been previously >> generated. If a page >> +# specific token has not yet been previously generated, CSRFGuard will >> verify the request was >> +# submitted with the per-session token intact. After verifying the >> presence of the per-session token, >> +# CSRFGuard will create a page specific token that is required for all >> subsequent requests to the >> +# associated resource. The per-session CSRF token can only be used when >> requesting a resource for >> +# the first time. All subsequent requests must have the per-page token >> intact or the request will >> +# be treated as a CSRF attack. This behavior can be changed with the >> org.owasp.csrfguard.TokenPerPagePrecreate >> +# property. Enabling this property will make CSRFGuard calculate the per >> page token prior to a first >> +# visit. This option only works with JSTL token injection and is useful >> for preserving the validity of >> +# links if the user pushes the back button. There may be a performance >> impact when enabling this option >> +# if the .jsp has a large number of proctected links that need tokens to >> be calculated. >> +# Use of the unique token per page property is currently experimental >> +# but provides a significant amount of improved security. Consider the >> exposure of a CSRF token using >> +# the legacy unique per-session model. Exposure of this token facilitates >> the attacker's ability to >> +# carry out a CSRF attack against the victim's active session for any >> resource exposed by the web >> +# application. Now consider the exposure of a CSRF token using the >> experimental unique token per-page >> +# model. Exposure of this token would only allow the attacker to carry >> out a CSRF attack against the >> +# victim's active session for a small subset of resources exposed by the >> web application. Use of the >> +# unique token per-page property is a strong defense in depth strategy >> significantly reducing the >> +# impact of exposed CSRF prevention tokens. The following configuration >> snippet instructs OWASP >> +# CSRFGuard to utilize the unique token per-page model: >> +# >> +# org.owasp.csrfguard.TokenPerPage=true >> +# org.owasp.csrfguard.TokenPerPagePrecreate=false >> +org.owasp.csrfguard.TokenPerPage=true >> +org.owasp.csrfguard.TokenPerPagePrecreate=false >> + >> +# Token Rotation >> +# >> +# The rotate token property (org.owasp.csrfguard.Rotate) is a boolean >> value that determines if >> +# CSRFGuard should generate and utilize a new token after verifying the >> previous token. Rotation >> +# helps minimize the window of opportunity an attacker has to leverage >> the victim's stolen token >> +# in a targeted CSRF attack. However, this functionality generally causes >> navigation problems in >> +# most applications. Specifically, the 'Back' button in the browser will >> often cease to function >> +# properly. When a user hits the 'Back' button and interacts with the >> HTML, the browser may submit >> +# an old token causing CSRFGuard to incorrectly believe this request is a >> CSRF attack in progress >> +# (i.e. a 'false positive'). Users can prevent this scenario by >> preventing the caching of HTML pages >> +# containing FORM submissions using the cache-control header. However, >> this may also introduce >> +# performance problems as the browser will have to request HTML on a more >> frequent basis. The following >> +# configuration snippet enables token rotation: >> +# >> +# org.owasp.csrfguard.Rotate=true >> + >> +# Ajax and XMLHttpRequest Support >> +# >> +# The Ajax property (org.owasp.csrfguard.Ajax) is a boolean value that >> indicates whether or not OWASP >> +# CSRFGuard should support the injection and verification of unique >> per-session prevention tokens for >> +# XMLHttpRequests. To leverage Ajax support, the user must not only set >> this property to true but must >> +# also reference the JavaScript DOM Manipulation code using a script >> element. This dynamic script will >> +# override the send method of the XMLHttpRequest object to ensure the >> submission of an X-Requested-With >> +# header name value pair coupled with the submission of a custom header >> name value pair for each request. >> +# The name of the custom header is the value of the token name property >> and the value of the header is >> +# always the unique per-session token value. This custom header is >> analogous to the HTTP parameter name >> +# value pairs submitted via traditional GET and POST requests. If the >> X-Requested-With header was sent >> +# in the HTTP request, then CSRFGuard will look for the presence and >> ensure the validity of the unique >> +# per-session token in the custom header name value pair. Note that >> verification of these headers takes >> +# precedence over verification of the CSRF token supplied as an HTTP >> parameter. More specifically, >> +# CSRFGuard does not verify the presence of the CSRF token if the Ajax >> support property is enabled and >> +# the corresponding X-Requested-With and custom headers are embedded >> within the request. The following >> +# configuration snippet instructs OWASP CSRFGuard to support Ajax >> requests by verifying the presence and >> +# correctness of the X-Requested-With and custom headers: >> +# >> +# org.owasp.csrfguard.Ajax=true >> +org.owasp.csrfguard.Ajax=true >> + >> +# The default behavior of CSRFGuard is to protect all pages. Pages marked >> as unprotected will not be protected. >> +# If the Protect property is enabled, this behavior is reversed. Pages >> must be marked as protected to be protected. >> +# All other pages will not be protected. This is useful when the >> CsrfGuardFilter is aggressively mapped (ex: /*), >> +# but you only want to protect a few pages. >> +# >> +# org.owasp.csrfguard.Protect=true >> + >> +# Unprotected Pages: >> +# >> +# The unprotected pages property (org.owasp.csrfguard.unprotected.*) >> defines a series of pages that >> +# should not be protected by CSRFGuard. Such configurations are useful >> when the CsrfGuardFilter is >> +# aggressively mapped (ex: /*). The syntax of the property name is >> org.owasp.csrfguard.unprotected.[PageName], >> +# where PageName is some arbitrary identifier that can be used to >> reference a resource. The syntax of >> +# defining the uri of unprotected pages is the same as the syntax used by >> the JavaEE container for uri mapping. >> +# Specifically, CSRFGuard will identify the first match (if any) between >> the requested uri and an unprotected >> +# page in order of declaration. Match criteria is as follows: >> +# >> +# Case 1: exact match between request uri and unprotected page >> +# Case 2: longest path prefix match, beginning / and ending /* >> +# Case 3: extension match, beginning *. >> +# Case 4: if the value starts with ^ and ends with $, it will be >> evaulated as a regex. Note that before the >> +# regex is compiled, any common variables will be substituted (e.g. >> %servletContext%) >> +# Default: requested resource must be validated by CSRFGuard >> +# >> +# The following code snippet illustrates the four use cases over four >> examples. The first two examples >> +# (Tag and JavaScriptServlet) look for direct URI matches. The third >> example (Html) looks for all resources >> +# ending in a .html extension. The next example (Public) looks for all >> resources prefixed with the URI path /MySite/Public/*. >> +# The last example looks for resources that end in Public.do >> +# >> +# org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp >> +# org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/ >> JavaScriptServlet >> +# org.owasp.csrfguard.unprotected.Html=*.html >> +# org.owasp.csrfguard.unprotected.Public=%servletContext%/Public/* >> +# regex example starts with ^ and ends with $, and the %servletContext% >> is evaluated before the regex >> +# org.owasp.csrfguard.unprotected.PublicServlet=^% >> servletContext%/.*Public\.do$ >> + >> +#org.owasp.csrfguard.unprotected.Default=%servletContext%/ >> +#org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html >> +org.owasp.csrfguard.unprotected.JavaScriptServlet= >> %servletContext%/control/JavaScriptServlet >> +#org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html >> +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html >> +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.jsp >> +#org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html >> +#org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript. >> html >> +#org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp >> +#org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp >> +#org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp >> +#org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp >> +org.owasp.csrfguard.unprotected.Session=%servletContext%/favicon.ico >> +org.owasp.csrfguard.unprotected.Session=%servletContext%/control/login/* >> +org.owasp.csrfguard.unprotected.Index=%servletContext%/index.jsp >> + >> +# Actions: Responding to Attacks >> +# >> +# The actions directive (org.owasp.csrfguard.action.*) gives the user the >> ability to specify one or more >> +# actions that should be invoked when a CSRF attack is detected. Every >> action must implement the >> +# org.owasp.csrfguard.action.IAction interface either directly or >> indirectly through the >> +# org.owasp.csrfguard.action.AbstractAction helper class. Many actions >> accept parameters that can be specified >> +# along with the action class declaration. These parameters are consumed >> at runtime and impact the behavior of >> +# the associated action. >> +# >> +# The syntax for defining and configuring CSRFGuard actions is relatively >> straight forward. Let us assume we wish >> +# to redirect the user to a default page when a CSRF attack is detected. >> A redirect action already exists within >> +# the CSRFGuard bundle and is available via the class name >> org.owasp.csrfguard.actions.Redirect. In order to enable >> +# this action, we capture the following declaration in the >> Owasp.CsrfGuard.properties file: >> +# >> +# syntax: org.owasp.csrfguard.action.[actionName]=[className] >> +# example: org.owasp.csrfguard.action.class.Redirect=org.owasp. >> csrfguard.actions.Redirect >> +# >> +# The aforementioned directive declares an action called "Redirect" (i.e. >> [actionName]) referencing the Java class >> +# "org.owasp.csrfguard.actions.Redirect" (i.e. [className]). Anytime a >> CSRF attack is detected, the Redirect action >> +# will be executed. You may be asking yourself, "but how do I specify >> where the user is redirected?"; this is where >> +# action parameters come into play. In order to specify the redirect >> location, we capture the following declaration >> +# in the Owasp.CsrfGuard.properties file: >> +# >> +# syntax: org.owasp.csrfguard.action.[actionName].[parameterName]=[ >> parameterValue] >> +# example: org.owasp.csrfguard.action.Redirect.ErrorPage=% >> servletContext%/error.html >> +# >> +# The aforementioned directive declares an action parameter called >> "ErrorPage" (i.e. [parameterName]) with the value >> +# of "%servletContext%/error.html" (i.e. [parameterValue]) for the action >> "Redirect" (i.e. [actionName]). The >> +# Redirect action expects the "ErrorPage" parameter to be defined and >> will redirect the user to this location when >> +# an attack is detected. >> +# >> +#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty >> +org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log >> +org.owasp.csrfguard.action.Log.Message=potential cross-site request >> forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, >> method:%request_method%, uri:%request_uri%, error:%exception_message%) >> +#org.owasp.csrfguard.action.Invalidate=org.owasp. >> csrfguard.action.Invalidate >> +#org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect >> +#org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html >> +#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action. >> RequestAttribute >> +#org.owasp.csrfguard.action.RequestAttribute. >> AttributeName=Owasp_CsrfGuard_Exception_Key >> +#org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate >> +org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action. >> SessionAttribute >> +org.owasp.csrfguard.action.SessionAttribute. >> AttributeName=Owasp_CsrfGuard_Exception_Key >> +#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error >> +#org.owasp.csrfguard.action.Error.Code=403 >> +#org.owasp.csrfguard.action.Error.Message=Security violation. >> + >> +# Token Name >> +# >> +# The token name property (org.owasp.csrfguard.TokenName) defines the >> name of the HTTP parameter >> +# to contain the value of the OWASP CSRFGuard token for each request. The >> following configuration >> +# snippet sets the CSRFGuard token parameter name to the value >> OWASP_CSRFTOKEN: >> +# >> +# org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN >> +org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN >> + >> +# Session Key >> +# >> +# The session key property (org.owasp.csrfguard.SessionKey) defines the >> string literal used to save >> +# and lookup the CSRFGuard token from the session. This value is used by >> the filter and the tag >> +# libraries to retrieve and set the token value in the session. >> Developers can use this key to >> +# programmatically lookup the token within their own code. The following >> configuration snippet sets >> +# the session key to the value OWASP_CSRFTOKEN: >> +# >> +# org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN >> +org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN >> + >> +# Token Length >> +# >> +# The token length property (org.owasp.csrfguard.TokenLength) defines >> the number of characters that >> +# should be found within the CSRFGuard token. Note that characters are >> delimited by dashes (-) in groups >> +# of four. For cosmetic reasons, users are encourage to ensure the token >> length is divisible by four. >> +# The following configuration snippet sets the token length property to >> 32 characters: >> +# >> +# org.owasp.csrfguard.TokenLength=32 >> +org.owasp.csrfguard.TokenLength=32 >> + >> +# Pseudo-random Number Generator >> +# >> +# The pseudo-random number generator property (org.owasp.csrfguard.PRNG) >> defines what PRNG should be used >> +# to generate the OWASP CSRFGuard token. Always ensure this value >> references a cryptographically strong >> +# pseudo-random number generator algorithm. The following configuration >> snippet sets the pseudo-random number >> +# generator to SHA1PRNG: >> +# >> +# org.owasp.csrfguard.PRNG=SHA1PRNG >> +org.owasp.csrfguard.PRNG=SHA1PRNG >> + >> +# Pseudo-random Number Generator Provider >> + >> +# The pseudo-random number generator provider property >> (org.owasp.csrfguard.PRNG.Provider) defines which >> +# provider's implementation of org.owasp.csrfguard.PRNG we should >> utilize. The following configuration >> +# snippet instructs the JVM to leverage SUN's implementation of the >> algorithm denoted by the >> +# org.owasp.csrfguard.PRNG property: >> + >> +# org.owasp.csrfguard.PRNG.Provider=SUN >> +org.owasp.csrfguard.PRNG.Provider=SUN >> + >> +# If not specifying the print config option in the web.xml, you can >> specify it here, to print the config >> +# on startup >> +org.owasp.csrfguard.Config.Print = true >> + >> +########################### >> +## Javascript servlet settings if not set in web.xml >> +## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection >> +########################### >> + >> +# leave this blank and blank in web.xml and it will read from >> META-INF/csrfguard.js from the jarfile >> +# Denotes the location of the JavaScript template file that should be >> consumed and dynamically >> +# augmented by the JavaScriptServlet class. The default value is >> WEB-INF/Owasp.CsrfGuard.js. >> +# Use of this property and the existence of the specified template file >> is required. >> +#org.owasp.csrfguard.JavascriptServlet.sourceFile = >> WEB-INF/Owasp.CsrfGuard.js >> +org.owasp.csrfguard.JavascriptServlet.sourceFile = >> WEB-INF/Owasp.CsrfGuard.js >> + >> +# Boolean value that determines whether or not the dynamic JavaScript >> code should be strict >> +# with regards to what links it should inject the CSRF prevention token. >> With a value of true, >> +# the JavaScript code will only place the token in links that point to >> the same exact domain >> +# from which the HTML originated. With a value of false, the JavaScript >> code will place the >> +# token in links that not only point to the same exact domain from which >> the HTML originated, >> +# but sub-domains as well. >> +org.owasp.csrfguard.JavascriptServlet.domainStrict = true >> + >> +# Allows the developer to specify the value of the Cache-Control header >> in the HTTP response >> +# when serving the dynamic JavaScript file. The default value is private, >> maxage=28800. >> +# Caching of the dynamic JavaScript file is intended to minimize traffic >> and improve performance. >> +# Note that the Cache-Control header is always set to "no-store" when >> either the "Rotate" >> +# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties. >> +org.owasp.csrfguard.JavascriptServlet.cacheControl = private, >> maxage=28800 >> + >> +# Allows the developer to specify a regular expression describing the >> required value of the >> +# Referer header. Any attempts to access the servlet with a Referer >> header that does not >> +# match the captured expression is discarded. Inclusion of referer header >> checking is to >> +# help minimize the risk of JavaScript Hijacking attacks that attempt to >> steal tokens from >> +# the dynamically generated JavaScript. While the primary defenses >> against JavaScript >> +# Hijacking attacks are implemented within the dynamic JavaScript itself, >> referer header >> +# checking is implemented to achieve defense in depth. >> +org.owasp.csrfguard.JavascriptServlet.refererPattern = .* >> + >> +# Similar to javascript servlet referer pattern, but this will make sure >> the referer of the >> +# javascript servlet matches the domain of the request. If there is no >> referer (proxy strips it?) >> +# then it will not fail. Generally this is a good idea to be true. >> +org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true >> + >> +# Boolean value that determines whether or not the dynamic JavaScript >> code should >> +# inject the CSRF prevention token as a hidden field into HTML forms. The >> default >> +# value is true. Developers are strongly discouraged from disabling this >> property >> +# as most server-side state changing actions are triggered via a POST >> request. >> +org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true >> + >> +# if the token should be injected in GET forms (which will be on the URL) >> +# if the HTTP method GET is unprotected, then this should likely be false >> +org.owasp.csrfguard.JavascriptServlet.injectGetForms = true >> + >> +# if the token should be injected in the action in forms >> +# note, if injectIntoForms is true, then this might not need to be true >> +org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true >> + >> + >> +# Boolean value that determines whether or not the dynamic JavaScript >> code should >> +# inject the CSRF prevention token in the query string of src and href >> attributes. >> +# Injecting the CSRF prevention token in a URL resource increases its >> general risk >> +# of exposure to unauthorized parties. However, most JavaEE web >> applications respond >> +# in the exact same manner to HTTP requests and their associated >> parameters regardless >> +# of the HTTP method. The risk associated with not protecting GET >> requests in this >> +# situation is perceived greater than the risk of exposing the token in >> protected GET >> +# requests. As a result, the default value of this attribute is set to >> true. Developers >> +# that are confident their server-side state changing controllers will >> only respond to >> +# POST requests (i.e. discarding GET requests) are strongly encouraged to >> disable this property. >> +org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true >> + >> + >> +org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard >> Project >> + >> +########################### >> +## Config overlay settings if you have the provider above set to >> ConfigurationOverlayProvider >> +## This CSRF config provider uses Internet2 Configuration Overlays >> (documented on Internet2 wiki) >> +## By default the configuration is read from the >> Owasp.CsrfGuard.properties >> +## (which should not be edited), and the Owasp.CsrfGuard.overlay.properties >> overlays >> +## the base settings. See the Owasp.CsrfGuard.properties for the possible >> +## settings that can be applied to the Owasp.CsrfGuard.overlay.properties >> +########################### >> + >> +# comma separated config files that override each other (files on the >> right override the left) >> +# each should start with file: or classpath: >> +# e.g. classpath:Owasp.CsrfGuard.properties, >> file:c:/temp/myFile.properties >> +org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properties, >> classpath:Owasp.CsrfGuard.overlay.properties >> + >> +# seconds between checking to see if the config files are updated >> +org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60 >> + >> + >> +########################### >> + >> >> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- >> INF/Owasp.CsrfGuard.properties >> ------------------------------------------------------------ >> ------------------ >> svn:eol-style = native >> >> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- >> INF/Owasp.CsrfGuard.properties >> ------------------------------------------------------------ >> ------------------ >> svn:keywords = Date Rev Author URL Id >> >> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- >> INF/Owasp.CsrfGuard.properties >> ------------------------------------------------------------ >> ------------------ >> svn:mime-type = text/plain >> >> >> |
Re: svn commit: r1781366 [1/3] - in /ofbiz/trunk: applications/content/widget/co
|
|
Thanks Gil.
Best regards, Pranay Pandey HotWax Systems http://www.hotwaxsystems.com/ On Thu, Feb 2, 2017 at 6:28 PM, gil portenseigne < [hidden email]> wrote: > Hello Pranay, > > Jacques reverted it just after, he did not commited it on purpose. > > Regards, > > Gil > > > > Le 02/02/2017 à 13:52, Pranay Pandey a écrit : > >> ?? >> >> Log: >> Implemented: >> Improved: >> Documented: >> Completed: >> Reverted: >> Fixed: >> (OFBIZ-) >> Explanation >> Thanks: >> >> Best regards, >> >> Pranay Pandey >> HotWax Systems >> http://www.hotwaxsystems.com/ >> >> On Thu, Feb 2, 2017 at 4:03 PM, <[hidden email]> wrote: >> >> Author: jleroux >>> Date: Thu Feb 2 10:33:59 2017 >>> New Revision: 1781366 >>> >>> URL: http://svn.apache.org/viewvc?rev=1781366&view=rev >>> Log: >>> Implemented: >>> Improved: >>> Documented: >>> Completed: >>> Reverted: >>> Fixed: >>> (OFBIZ-) >>> Explanation >>> Thanks: >>> >>> Added: >>> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/ >>> Owasp.CsrfGuard.js >>> (with props) >>> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/ >>> Owasp.CsrfGuard.properties >>> (with props) >>> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/controller >>> - >>> Copie.xml (with props) >>> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/web - >>> Copie.xml (with props) >>> ofbiz/trunk/framework/webapp/config/requestHandler - >>> Copie.properties (with props) >>> ofbiz/trunk/themes/tomahawk/template/Header - Copie.ftl (with >>> props) >>> Modified: >>> ofbiz/trunk/applications/content/widget/compdoc/ >>> CompDocTemplateTree.xml >>> ofbiz/trunk/applications/content/widget/content/ContentForms.xml >>> ofbiz/trunk/applications/product/template/Main.ftl >>> ofbiz/trunk/applications/product/template/store/ >>> EditProductStoreWebSites.ftl >>> ofbiz/trunk/framework/base/src/main/java/org/apache/ >>> ofbiz/base/util/template/FreeMarkerWorker.java >>> ofbiz/trunk/framework/minilang/src/main/java/org/ >>> apache/ofbiz/minilang/method/entityops/EntityOne.java >>> ofbiz/trunk/framework/widget/dtd/widget-common.xsd >>> ofbiz/trunk/framework/widget/src/main/java/org/apache/ >>> ofbiz/widget/renderer/macro/MacroFormRenderer.java >>> >>> Modified: ofbiz/trunk/applications/content/widget/compdoc/ >>> CompDocTemplateTree.xml >>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> content/widget/compdoc/CompDocTemplateTree.xml?rev= >>> 1781366&r1=1781365&r2=1781366&view=diff >>> ============================================================ >>> ================== >>> --- ofbiz/trunk/applications/content/widget/compdoc/CompDocTempl >>> ateTree.xml >>> (original) >>> +++ ofbiz/trunk/applications/content/widget/compdoc/CompDocTempl >>> ateTree.xml >>> Thu Feb 2 10:33:59 2017 >>> @@ -22,7 +22,7 @@ under the License. >>> <tree name="CompDocTemplateTree" entity-name="Content" >>> root-node-name="node-root" >>> default-render-style="simple" default-wrap-style="treeWrappe >>> r"> >>> <node name="node-root" wrap-style="treeWrapper"> >>> - <entity-one entity-name="Content" use-cache="false"> >>> + <entity-one entity-name="Content" value-field="content" >>> use-cache="false"> >>> <field-map field-name="contentId" >>> from-field="rootContentId"/> >>> </entity-one> >>> <include-screen name="rootTemplateLine" >>> location="component://content/widget/compdoc/CompDocScreens.xml"/> >>> @@ -54,7 +54,7 @@ under the License. >>> </sub-node> >>> </node> >>> <node name="node-body" join-field-name="itemContentId" >>> entity-name="AssocRevisionItemView" wrap-style="treeWrapper"> >>> - <entity-one entity-name="Content" use-cache="false"> >>> + <entity-one entity-name="Content" value-field="content" >>> use-cache="false"> >>> <field-map field-name="contentId" >>> from-field="itemContentId"/> >>> </entity-one> >>> <include-screen name="childTemplateLine" >>> location="component://content/widget/compdoc/CompDocScreens.xml"/> >>> @@ -90,7 +90,7 @@ under the License. >>> <tree name="CompDocInstanceTree" entity-name="Content" >>> root-node-name="node-root" >>> default-render-style="simple" default-wrap-style="treeWrappe >>> r"> >>> <node name="node-root"> >>> - <entity-one entity-name="Content" use-cache="false"> >>> + <entity-one entity-name="Content" value-field="content" >>> use-cache="false"> >>> <field-map field-name="contentId" >>> from-field="instanceContent.instanceOfContentId"/> >>> </entity-one> >>> <include-screen name="rootInstanceLine" >>> location="component://content/widget/compdoc/CompDocScreens.xml"/> >>> @@ -122,7 +122,7 @@ under the License. >>> </sub-node> >>> </node> >>> <node name="node-body" join-field-name="itemContentId" >>> entity-name="AssocRevisionItemView"> >>> - <entity-one entity-name="Content" use-cache="false"> >>> + <entity-one entity-name="Content" value-field="content" >>> use-cache="false"> >>> <field-map field-name="contentId" >>> from-field="itemContentId"/> >>> </entity-one> >>> <include-screen name="childInstanceLine" >>> location="component://content/widget/compdoc/CompDocScreens.xml"/> >>> >>> Modified: ofbiz/trunk/applications/content/widget/content/ContentForms >>> .xml >>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> content/widget/content/ContentForms.xml?rev=1781366& >>> r1=1781365&r2=1781366&view=diff >>> ============================================================ >>> ================== >>> --- ofbiz/trunk/applications/content/widget/content/ContentForms.xml >>> (original) >>> +++ ofbiz/trunk/applications/content/widget/content/ContentForms.xml Thu >>> Feb 2 10:33:59 2017 >>> @@ -230,9 +230,9 @@ under the License. >>> </form> >>> <!-- ContentAssoc forms --> >>> <form name="EditContentAssoc" target="updateContentAssoc" title="" >>> type="single" >>> - header-row-style="header-row" default-table-style="basic-tab >>> le"> >>> + header-row-style="header-row" default-table-style="basic-table" >>> default-entity-name="contentAssocX"> >>> <actions> >>> - <entity-one entity-name="ContentAssoc" use-cache="true"> >>> + <entity-one entity-name="ContentAssoc" use-cache="true" >>> value-field="contentAssoc"> >>> <field-map field-name="contentId" >>> from-field="contentId"/> >>> <field-map field-name="contentIdTo" >>> from-field="contentIdTo"/> >>> <field-map field-name="contentAssocTypeId" >>> from-field=" >>> contentAssocTypeId"/> >>> >>> Modified: ofbiz/trunk/applications/product/template/Main.ftl >>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> product/template/Main.ftl?rev=1781366&r1=1781365&r2=1781366&view=diff >>> ============================================================ >>> ================== >>> --- ofbiz/trunk/applications/product/template/Main.ftl (original) >>> +++ ofbiz/trunk/applications/product/template/Main.ftl Thu Feb 2 >>> 10:33:59 2017 >>> @@ -29,6 +29,8 @@ under the License. >>> </form> >>> <div class="label">${uiLabelMap.CommonOr}: <a >>> href="<@ofbizUrl>EditProdCatalog</@ofbizUrl>" >>> class="buttontext">${uiLabelMap.ProductCreateNewCatalog}</a></div> >>> <br /> >>> +<p>Output format: ${.output_format} >>> +<p>Auto-escaping: ${.auto_esc?c} >>> <div class="label">${uiLabelMap.ProductEditCategoryWithCategor >>> yId}:</div> >>> <form method="post" action="<@ofbizUrl>EditCategory</@ofbizUrl>" >>> style="margin: 0;" name="EditCategoryForm"> >>> <@htmlTemplate.lookupField name="productCategoryId" >>> id="productCategoryId" formName="EditCategoryForm" fieldFormName=" >>> LookupProductCategory"/> >>> >>> Modified: ofbiz/trunk/applications/product/template/store/ >>> EditProductStoreWebSites.ftl >>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> product/template/store/EditProductStoreWebSites.ftl? >>> rev=1781366&r1=1781365&r2=1781366&view=diff >>> ============================================================ >>> ================== >>> --- ofbiz/trunk/applications/product/template/store/EditProductS >>> toreWebSites.ftl >>> (original) >>> +++ ofbiz/trunk/applications/product/template/store/EditProductS >>> toreWebSites.ftl >>> Thu Feb 2 10:33:59 2017 >>> @@ -37,12 +37,7 @@ under the License. >>> <td>${webSite.httpHost?default(' ')}</td> >>> <td>${webSite.httpPort?default(' ')}</td> >>> <td align="center"> >>> - <a href="javascript:document. >>> storeUpdateWebSite_${webSite_index}.submit();" class="buttontext">${ >>> uiLabelMap.CommonDelete}</a> >>> - <form name="storeUpdateWebSite_${webSite_index}" >>> method="post" action="<@ofbizUrl>storeUpdateWebSite</@ofbizUrl>"> >>> - <input type="hidden" name="viewProductStoreId" >>> value="${productStoreId}"/> >>> - <input type="hidden" name="productStoreId" >>> value=""/> >>> - <input type="hidden" name="webSiteId" >>> value="${webSite.webSiteId}"/> >>> - </form> >>> + <a href="<@ofbizUrl>storeUpdateWebSite? >>> viewProductStoreId=${productStoreId}&productStoreId=&webSiteId=${ >>> webSite.webSiteId}</@ofbizUrl>" class="buttontext">${ >>> uiLabelMap.CommonDelete}</a> >>> </td> >>> </tr> >>> <#-- toggle the row color --> >>> >>> Added: ofbiz/trunk/applications/product/webapp/catalog/WEB- >>> INF/Owasp.CsrfGuard.js >>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js?rev=1781366&view=auto >>> ============================================================ >>> ================== >>> --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/ >>> Owasp.CsrfGuard.js >>> (added) >>> +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/ >>> Owasp.CsrfGuard.js >>> Thu Feb 2 10:33:59 2017 >>> @@ -0,0 +1,447 @@ >>> +/** >>> + * The OWASP CSRFGuard Project, BSD License >>> + * Eric Sheridan ([hidden email]), Copyright (c) 2011 >>> + * All rights reserved. >>> + * >>> + * Redistribution and use in source and binary forms, with or without >>> + * modification, are permitted provided that the following conditions >>> are >>> met: >>> + * >>> + * 1. Redistributions of source code must retain the above copyright >>> notice, >>> + * this list of conditions and the following disclaimer. >>> + * 2. Redistributions in binary form must reproduce the above >>> copyright >>> + * notice, this list of conditions and the following disclaimer in >>> the >>> + * documentation and/or other materials provided with the >>> distribution. >>> + * 3. Neither the name of OWASP nor the names of its contributors may >>> be used >>> + * to endorse or promote products derived from this software >>> without specific >>> + * prior written permission. >>> + * >>> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >>> "AS IS" >>> + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, >>> THE >>> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR >>> PURPOSE >>> + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR >>> CONTRIBUTORS >>> BE LIABLE >>> + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR >>> CONSEQUENTIAL DAMAGES >>> + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR >>> SERVICES; >>> + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER >>> CAUSED AND ON >>> + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR >>> TORT >>> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >>> OF THIS >>> + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >>> + */ >>> +(function() { >>> + /** >>> + * Code to ensure our event always gets triggered when the DOM is >>> updated. >>> + * @param obj >>> + * @param type >>> + * @param fn >>> + * @source http://www.dustindiaz.com/rock-solid-addevent/ >>> + */ >>> + function addEvent( obj, type, fn ) { >>> + if (obj.addEventListener) { >>> + obj.addEventListener( type, fn, false ); >>> + EventCache.add(obj, type, fn); >>> + } >>> + else if (obj.attachEvent) { >>> + obj["e"+type+fn] = fn; >>> + obj[type+fn] = function() { obj["e"+type+fn]( window.event >>> ); >>> } >>> + obj.attachEvent( "on"+type, obj[type+fn] ); >>> + EventCache.add(obj, type, fn); >>> + } >>> + else { >>> + obj["on"+type] = obj["e"+type+fn]; >>> + } >>> + } >>> + >>> + var EventCache = function(){ >>> + var listEvents = []; >>> + return { >>> + listEvents : listEvents, >>> + add : function(node, sEventName, fHandler){ >>> + listEvents.push(arguments); >>> + }, >>> + flush : function(){ >>> + var i, item; >>> + for(i = listEvents.length - 1; i >= 0; i = i - 1){ >>> + item = listEvents[i]; >>> + if(item[0].removeEventListener){ >>> + item[0].removeEventListener(item[1], item[2], >>> item[3]); >>> + }; >>> + if(item[1].substring(0, 2) != "on"){ >>> + item[1] = "on" + item[1]; >>> + }; >>> + if(item[0].detachEvent){ >>> + item[0].detachEvent(item[1], item[2]); >>> + }; >>> + }; >>> + } >>> + }; >>> + }(); >>> + >>> + /** string utility functions **/ >>> + String.prototype.startsWith = function(prefix) { >>> + return this.indexOf(prefix) === 0; >>> + }; >>> + >>> + String.prototype.endsWith = function(suffix) { >>> + return this.match(suffix+"$") == suffix; >>> + }; >>> + >>> + /** hook using standards based prototype **/ >>> + function hijackStandard() { >>> + XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open; >>> + XMLHttpRequest.prototype.open = function(method, url, async, >>> user, pass) { >>> + this.url = url; >>> + >>> + this._open.apply(this, arguments); >>> + }; >>> + >>> + XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send; >>> + XMLHttpRequest.prototype.send = function(data) { >>> + if(this.onsend != null) { >>> + this.onsend.apply(this, arguments); >>> + } >>> + >>> + this._send.apply(this, arguments); >>> + }; >>> + } >>> + >>> + /** ie does not properly support prototype - wrap completely **/ >>> + function hijackExplorer() { >>> + var _XMLHttpRequest = window.XMLHttpRequest; >>> + >>> + function alloc_XMLHttpRequest() { >>> + this.base = _XMLHttpRequest ? new _XMLHttpRequest : new >>> window.ActiveXObject("Microsoft.XMLHTTP"); >>> + } >>> + >>> + function init_XMLHttpRequest() { >>> + return new alloc_XMLHttpRequest; >>> + } >>> + >>> + init_XMLHttpRequest.prototype = alloc_XMLHttpRequest.prototype; >>> + >>> + /** constants **/ >>> + init_XMLHttpRequest.UNSENT = 0; >>> + init_XMLHttpRequest.OPENED = 1; >>> + init_XMLHttpRequest.HEADERS_RECEIVED = 2; >>> + init_XMLHttpRequest.LOADING = 3; >>> + init_XMLHttpRequest.DONE = 4; >>> + >>> + /** properties **/ >>> + init_XMLHttpRequest.prototype.status = 0; >>> + init_XMLHttpRequest.prototype.statusText = ""; >>> + init_XMLHttpRequest.prototype.readyState = >>> init_XMLHttpRequest.UNSENT; >>> + init_XMLHttpRequest.prototype.responseText = ""; >>> + init_XMLHttpRequest.prototype.responseXML = null; >>> + init_XMLHttpRequest.prototype.onsend = null; >>> + >>> + init_XMLHttpRequest.url = null; >>> + init_XMLHttpRequest.onreadystatechange = null; >>> + >>> + /** methods **/ >>> + init_XMLHttpRequest.prototype.open = function(method, url, >>> async, user, pass) { >>> + var self = this; >>> + this.url = url; >>> + >>> + this.base.onreadystatechange = function() { >>> + try { self.status = self.base.status; } catch (e) { } >>> + try { self.statusText = self.base.statusText; } catch >>> (e) >>> { } >>> + try { self.readyState = self.base.readyState; } catch >>> (e) >>> { } >>> + try { self.responseText = self.base.responseText; } >>> catch(e) { } >>> + try { self.responseXML = self.base.responseXML; } >>> catch(e) { } >>> + >>> + if(self.onreadystatechange != null) { >>> + self.onreadystatechange.apply(this, arguments); >>> + } >>> + } >>> + >>> + this.base.open(method, url, async, user, pass); >>> + }; >>> + >>> + init_XMLHttpRequest.prototype.send = function(data) { >>> + if(this.onsend != null) { >>> + this.onsend.apply(this, arguments); >>> + } >>> + >>> + this.base.send(data); >>> + }; >>> + >>> + init_XMLHttpRequest.prototype.abort = function() { >>> + this.base.abort(); >>> + }; >>> + >>> + init_XMLHttpRequest.prototype.getAllResponseHeaders = >>> function() >>> { >>> + return this.base.getAllResponseHeaders(); >>> + }; >>> + >>> + init_XMLHttpRequest.prototype.getResponseHeader = >>> function(name) >>> { >>> + return this.base.getResponseHeader(name); >>> + }; >>> + >>> + init_XMLHttpRequest.prototype.setRequestHeader = function(name, >>> value) { >>> + return this.base.setRequestHeader(name, value); >>> + }; >>> + >>> + /** hook **/ >>> + window.XMLHttpRequest = init_XMLHttpRequest; >>> + } >>> + >>> + /** check if valid domain based on domainStrict **/ >>> + function isValidDomain(current, target) { >>> + var result = false; >>> + >>> + /** check exact or subdomain match **/ >>> + if(current == target) { >>> + result = true; >>> + } else if(%DOMAIN_STRICT% == false) { >>> + if(target.charAt(0) == '.') { >>> + result = current.endsWith(target); >>> + } else { >>> + result = current.endsWith('.' + target); >>> + } >>> + } >>> + >>> + return result; >>> + } >>> + >>> + /** determine if uri/url points to valid domain **/ >>> + function isValidUrl(src) { >>> + var result = false; >>> + >>> + /** parse out domain to make sure it points to our own **/ >>> + if(src.substring(0, 7) == "http://" || src.substring(0, 8) == >>> "https://") { >>> + var token = "://"; >>> + var index = src.indexOf(token); >>> + var part = src.substring(index + token.length); >>> + var domain = ""; >>> + >>> + /** parse up to end, first slash, or anchor **/ >>> + for(var i=0; i<part.length; i++) { >>> + var character = part.charAt(i); >>> + >>> + if(character == '/' || character == ':' || character == >>> '#') { >>> + break; >>> + } else { >>> + domain += character; >>> + } >>> + } >>> + >>> + result = isValidDomain(document.domain, domain); >>> + /** explicitly skip anchors **/ >>> + } else if(src.charAt(0) == '#') { >>> + result = false; >>> + /** ensure it is a local resource without a protocol **/ >>> + } else if(!src.startsWith("//") && (src.charAt(0) == '/' || >>> src.indexOf(':') == -1)) { >>> + result = true; >>> + } >>> + >>> + return result; >>> + } >>> + >>> + /** parse uri from url **/ >>> + function parseUri(url) { >>> + var uri = ""; >>> + var token = "://"; >>> + var index = url.indexOf(token); >>> + var part = ""; >>> + >>> + /** >>> + * ensure to skip protocol and prepend context path for >>> non-qualified >>> + * resources (ex: "protect.html" vs >>> + * "/Owasp.CsrfGuard.Test/protect.html"). >>> + */ >>> + if(index > 0) { >>> + part = url.substring(index + token.length); >>> + } else if(url.charAt(0) != '/') { >>> + part = "%CONTEXT_PATH%/" + url; >>> + } else { >>> + part = url; >>> + } >>> + >>> + /** parse up to end or query string **/ >>> + var uriContext = (index == -1); >>> + >>> + for(var i=0; i<part.length; i++) { >>> + var character = part.charAt(i); >>> + >>> + if(character == '/') { >>> + uriContext = true; >>> + } else if(uriContext == true && (character == '?' || >>> character == '#')) { >>> + uriContext = false; >>> + break; >>> + } >>> + >>> + if(uriContext == true) { >>> + uri += character; >>> + } >>> + } >>> + >>> + return uri; >>> + } >>> + >>> + /** inject tokens as hidden fields into forms **/ >>> + function injectTokenForm(form, tokenName, tokenValue, >>> pageTokens,injectGetForms) { >>> + >>> + if (!injectGetForms) { >>> + var method = form.getAttribute("method"); >>> + >>> + if ((typeof method != 'undefined') && method != null && >>> method.toLowerCase() == "get") { >>> + return; >>> + } >>> + } >>> + >>> + var value = tokenValue; >>> + var action = form.getAttribute("action"); >>> + >>> + if(action != null && isValidUrl(action)) { >>> + var uri = parseUri(action); >>> + value = pageTokens[uri] != null ? pageTokens[uri] : >>> tokenValue; >>> + } >>> + >>> + var hidden = document.createElement("input"); >>> + >>> + hidden.setAttribute("type", "hidden"); >>> + hidden.setAttribute("name", tokenName); >>> + hidden.setAttribute("value", value); >>> + >>> + form.appendChild(hidden); >>> + } >>> + >>> + /** inject tokens as query string parameters into url **/ >>> + function injectTokenAttribute(element, attr, tokenName, tokenValue, >>> pageTokens) { >>> + var location = element.getAttribute(attr); >>> + >>> + if(location != null && isValidUrl(location)) { >>> + var uri = parseUri(location); >>> + var value = (pageTokens[uri] != null ? pageTokens[uri] : >>> tokenValue); >>> + >>> + if(location.indexOf('?') != -1) { >>> + location = location + '&' + tokenName + '=' + value; >>> + } else { >>> + location = location + '?' + tokenName + '=' + value; >>> + } >>> + >>> + try { >>> + element.setAttribute(attr, location); >>> + } catch (e) { >>> + // attempted to set/update unsupported attribute >>> + } >>> + } >>> + } >>> + >>> + /** inject csrf prevention tokens throughout dom **/ >>> + function injectTokens(tokenName, tokenValue) { >>> + /** obtain reference to page tokens if enabled **/ >>> + var pageTokens = {}; >>> + >>> + if(%TOKENS_PER_PAGE% == true) { >>> + pageTokens = requestPageTokens(); >>> + } >>> + >>> + /** iterate over all elements and injection token **/ >>> + var all = document.all ? document.all : >>> document.getElementsByTagName('*'); >>> + var len = all.length; >>> + >>> + //these are read from the csrf guard config file(s) >>> + var injectForms = %INJECT_FORMS%; >>> + var injectGetForms = %INJECT_GET_FORMS%; >>> + var injectFormAttributes = %INJECT_FORM_ATTRIBUTES%; >>> + var injectAttributes = %INJECT_ATTRIBUTES%; >>> + >>> + for(var i=0; i<len; i++) { >>> + var element = all[i]; >>> + >>> + /** inject into form **/ >>> + if(element.tagName.toLowerCase() == "form") { >>> + if(injectForms) { >>> + injectTokenForm(element, tokenName, tokenValue, >>> pageTokens,injectGetForms); >>> + } >>> + if (injectFormAttributes) { >>> + injectTokenAttribute(element, "action", tokenName, >>> tokenValue, pageTokens); >>> + } >>> + /** inject into attribute **/ >>> + } else if(injectAttributes) { >>> + injectTokenAttribute(element, "src", tokenName, >>> tokenValue, pageTokens); >>> + injectTokenAttribute(element, "href", tokenName, >>> tokenValue, pageTokens); >>> + } >>> + } >>> + } >>> + >>> + /** obtain array of page specific tokens **/ >>> + function requestPageTokens() { >>> + var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : >>> new >>> window.ActiveXObject("Microsoft.XMLHTTP"); >>> + var pageTokens = {}; >>> + >>> + xhr.open("POST", "%SERVLET_PATH%", false); >>> + xhr.send(null); >>> + >>> + var text = xhr.responseText; >>> + var name = ""; >>> + var value = ""; >>> + var nameContext = true; >>> + >>> + for(var i=0; i<text.length; i++) { >>> + var character = text.charAt(i); >>> + >>> + if(character == ':') { >>> + nameContext = false; >>> + } else if(character != ',') { >>> + if(nameContext == true) { >>> + name += character; >>> + } else { >>> + value += character; >>> + } >>> + } >>> + >>> + if(character == ',' || (i + 1) >= text.length) { >>> + pageTokens[name] = value; >>> + name = ""; >>> + value = ""; >>> + nameContext = true; >>> + } >>> + } >>> + >>> + return pageTokens; >>> + } >>> + >>> + /** >>> + * Only inject the tokens if the JavaScript was referenced from HTML >>> that >>> + * was served by us. Otherwise, the code was referenced from >>> malicious HTML >>> + * which may be trying to steal tokens using JavaScript hijacking >>> techniques. >>> + * The token is now removed and fetched using another POST request >>> to >>> solve, >>> + * the token hijacking problem. >>> + */ >>> + if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) { >>> + /** optionally include Ajax support **/ >>> + if(%INJECT_XHR% == true) { >>> + if(navigator.appName == "Microsoft Internet Explorer") { >>> + hijackExplorer(); >>> + } else { >>> + hijackStandard(); >>> + } >>> + >>> + var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : >>> new >>> window.ActiveXObject("Microsoft.XMLHTTP"); >>> + var csrfToken = {}; >>> + xhr.open("POST", "%SERVLET_PATH%", false); >>> + xhr.setRequestHeader("FETCH-CSRF-TOKEN", "1"); >>> + xhr.send(null); >>> + >>> + var token_pair = xhr.responseText; >>> + token_pair = token_pair.split(":"); >>> + var token_name = token_pair[0]; >>> + var token_value = token_pair[1]; >>> + >>> + XMLHttpRequest.prototype.onsend = function(data) { >>> + if(isValidUrl(this.url)) { >>> + this.setRequestHeader("X-Requested-With", >>> "XMLHttpRequest") >>> + this.setRequestHeader(token_name, token_value); >>> + } >>> + }; >>> + } >>> + >>> + /** update nodes in DOM after load **/ >>> + addEvent(window,'unload',EventCache.flush); >>> + addEvent(window,'DOMContentLoaded', function() { >>> + injectTokens(token_name, token_value); >>> + }); >>> + } else { >>> + alert("OWASP CSRFGuard JavaScript was included from within an >>> unauthorized domain!"); >>> + } >>> +})(); >>> >>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- >>> INF/Owasp.CsrfGuard.js >>> ------------------------------------------------------------ >>> ------------------ >>> svn:eol-style = native >>> >>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- >>> INF/Owasp.CsrfGuard.js >>> ------------------------------------------------------------ >>> ------------------ >>> svn:keywords = Date Rev Author URL Id >>> >>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- >>> INF/Owasp.CsrfGuard.js >>> ------------------------------------------------------------ >>> ------------------ >>> svn:mime-type = text/plain >>> >>> Added: ofbiz/trunk/applications/product/webapp/catalog/WEB- >>> INF/Owasp.CsrfGuard.properties >>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> product/webapp/catalog/WEB-INF/Owasp.CsrfGuard. >>> properties?rev=1781366&view=auto >>> ============================================================ >>> ================== >>> --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/ >>> Owasp.CsrfGuard.properties >>> (added) >>> +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/ >>> Owasp.CsrfGuard.properties >>> Thu Feb 2 10:33:59 2017 >>> @@ -0,0 +1,417 @@ >>> +# The OWASP CSRFGuard Project, BSD License >>> +# Eric Sheridan ([hidden email]), Copyright (c) 2011 >>> +# All rights reserved. >>> +# >>> +# Redistribution and use in source and binary forms, with or without >>> +# modification, are permitted provided that the following conditions are >>> met: >>> +# >>> +# 1. Redistributions of source code must retain the above copyright >>> notice, >>> +# this list of conditions and the following disclaimer. >>> +# 2. Redistributions in binary form must reproduce the above copyright >>> +# notice, this list of conditions and the following disclaimer in the >>> +# documentation and/or other materials provided with the >>> distribution. >>> +# 3. Neither the name of OWASP nor the names of its contributors may be >>> used >>> +# to endorse or promote products derived from this software without >>> specific >>> +# prior written permission. >>> +# >>> +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >>> "AS >>> IS" >>> +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, >>> THE >>> +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR >>> PURPOSE >>> +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS >>> BE LIABLE >>> +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR >>> CONSEQUENTIAL DAMAGES >>> +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR >>> SERVICES; >>> +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER >>> CAUSED >>> AND ON >>> +# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR >>> TORT >>> +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >>> OF THIS >>> +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >>> + >>> +# From: https://github.com/esheri3/OWASP-CSRFGuard/blob/master/ >>> csrfguard-test/src/main/webapp/WEB-INF/csrfguard.properties >>> + >>> +# Common substitutions >>> +# %servletContext% is the servlet context (e.g. the configured app >>> prefix or war file name, or blank. >>> +# e.g. if you deploy a default warfile as someApp.war, then >>> %servletContext% will be /someApp >>> +# if there isnt a context it will be the empty string. So to use this >>> in >>> the configuration, use e.g. %servletContext%/something.html >>> +# which will translate to e.g. /someApp/something.html >>> + >>> +# Logger >>> +# >>> +# The logger property (org.owasp.csrfguard.Logger) defines the qualified >>> class name of >>> +# the object responsible for processing all log messages produced by >>> CSRFGuard. The default >>> +# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class >>> logs all messages >>> +# to System.out which JavaEE application servers redirect to a vendor >>> specific log file. >>> +# Developers can customize the logging behavior of CSRFGuard by >>> implementing the >>> +# org.owasp.csrfguard.log.ILogger interface and setting the logger >>> property to the new >>> +# logger's qualified class name. The following configuration snippet >>> instructs OWASP CSRFGuard >>> +# to capture all log messages to the console: >>> +# >>> +# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger >>> +org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger >>> + >>> +# Which configuration provider factory you want to use. The default is >>> org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory >>> +# Another configuration provider has more features including config >>> overlays: org.owasp.csrfguard.config.overlay. >>> ConfigurationOverlayProviderFactory >>> +# The default configuration provider is: org.owasp.csrfguard.config. >>> overlay.ConfigurationAutodetectProviderFactory >>> +# which will look for an overlay file, it is there, and the factory >>> inside that file is set it will use it, otherwise will be >>> PropertiesConfigurationProviderFactory >>> +# it needs to implement org.owasp.csrfguard.config. >>> ConfigurationProviderFactory >>> +org.owasp.csrfguard.configuration.provider.factory = >>> org.owasp.csrfguard.config.overlay.ConfigurationAutodetectPr >>> oviderFactory >>> + >>> + >>> +# If csrfguard filter is enabled >>> +org.owasp.csrfguard.Enabled = false >>> + >>> +# If csrf guard filter should check even if there is no session for the >>> user >>> +# Note: this changed around 2014/04, the default behavior used to be to >>> +# not check if there is no session. If you want the legacy behavior (if >>> your app >>> +# is not susceptible to CSRF if the user has no session), set this to >>> false >>> +org.owasp.csrfguard.ValidateWhenNoSessionExists = true >>> + >>> +# New Token Landing Page >>> +# >>> +# The new token landing page property (org.owasp.csrfguard.NewTokenL >>> andingPage) >>> defines where >>> +# to send a user if the token is being generated for the first time, and >>> the use new token landing >>> +# page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage) >>> determines if any redirect happens. >>> +# UseNewTokenLandingPage defaults to false if NewTokenLandingPage is not >>> specified, and to true >>> +# if it is specified.. If UseNewTokenLandingPage is set true then this >>> request is generated >>> +# using auto-posting forms and will only contain the CSRF prevention >>> token parameter, if >>> +# applicable. All query-string or form parameters sent with the original >>> request will be >>> +# discarded. If this property is not defined, CSRFGuard will instead >>> auto-post the user to the >>> +# original context and servlet path. The following configuration snippet >>> instructs OWASP CSRFGuard to >>> +# redirect the user to %servletContext%/index.html when the user visits >>> a >>> protected resource >>> +# without having a corresponding CSRF token present in the HttpSession >>> object: >>> +# >>> +org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/ >>> control/login/* >>> + >>> +# Protected Methods >>> +# >>> +# The protected methods property (org.owasp.csrfguard.ProtectedMethods) >>> defines a comma >>> +# separated list of HTTP request methods that should be protected by >>> CSRFGuard. The default >>> +# list is an empty list which will cause all HTTP methods to be >>> protected, thus preserving >>> +# legacy behavior. This setting allows the user to inform CSRFGuard that >>> only requests of the >>> +# given types should be considered for protection. All HTTP methods not >>> in the list will be >>> +# considered safe (i.e. view only / unable to modify data). This should >>> be used only when the >>> +# user has concrete knowledge that all requests made via methods not in >>> the list >>> +# are safe (i.e. do not apply an action to any data) since it can >>> actually introduce new >>> +# security vulnerabilities. For example: the user thinks that all >>> actionable requests are >>> +# only available by POST requests when in fact some are available via >>> GET >>> requests. If the >>> +# user has excluded GET requests from the list then they have introduced >>> a vulnerability. >>> +# The following configuration snippet instructs OWASP CSRFGuard to >>> protect only the POST, >>> +# PUT, and DELETE HTTP methods. >>> +# >>> +# org.owasp.csrfguard.ProtectedMethods=POST,PUT,DELETE >>> + >>> +# or you can configure all to be protected, and specify which is >>> unprotected. This is the preferred approach >>> + >>> +# org.owasp.csrfguard.UnprotectedMethods=GET >>> + >>> +# Unique Per-Page Tokens >>> +# >>> +# The unique token per-page property (org.owasp.csrfguard.TokenPerPage) >>> is a boolean value that >>> +# determines if CSRFGuard should make use of unique per-page (i.e. URI) >>> prevention tokens as >>> +# opposed to unique per-session prevention tokens. When a user requests >>> a >>> protected resource, >>> +# CSRFGuard will determine if a page specific token has been previously >>> generated. If a page >>> +# specific token has not yet been previously generated, CSRFGuard will >>> verify the request was >>> +# submitted with the per-session token intact. After verifying the >>> presence of the per-session token, >>> +# CSRFGuard will create a page specific token that is required for all >>> subsequent requests to the >>> +# associated resource. The per-session CSRF token can only be used when >>> requesting a resource for >>> +# the first time. All subsequent requests must have the per-page token >>> intact or the request will >>> +# be treated as a CSRF attack. This behavior can be changed with the >>> org.owasp.csrfguard.TokenPerPagePrecreate >>> +# property. Enabling this property will make CSRFGuard calculate the per >>> page token prior to a first >>> +# visit. This option only works with JSTL token injection and is useful >>> for preserving the validity of >>> +# links if the user pushes the back button. There may be a performance >>> impact when enabling this option >>> +# if the .jsp has a large number of proctected links that need tokens to >>> be calculated. >>> +# Use of the unique token per page property is currently experimental >>> +# but provides a significant amount of improved security. Consider the >>> exposure of a CSRF token using >>> +# the legacy unique per-session model. Exposure of this token >>> facilitates >>> the attacker's ability to >>> +# carry out a CSRF attack against the victim's active session for any >>> resource exposed by the web >>> +# application. Now consider the exposure of a CSRF token using the >>> experimental unique token per-page >>> +# model. Exposure of this token would only allow the attacker to carry >>> out a CSRF attack against the >>> +# victim's active session for a small subset of resources exposed by the >>> web application. Use of the >>> +# unique token per-page property is a strong defense in depth strategy >>> significantly reducing the >>> +# impact of exposed CSRF prevention tokens. The following configuration >>> snippet instructs OWASP >>> +# CSRFGuard to utilize the unique token per-page model: >>> +# >>> +# org.owasp.csrfguard.TokenPerPage=true >>> +# org.owasp.csrfguard.TokenPerPagePrecreate=false >>> +org.owasp.csrfguard.TokenPerPage=true >>> +org.owasp.csrfguard.TokenPerPagePrecreate=false >>> + >>> +# Token Rotation >>> +# >>> +# The rotate token property (org.owasp.csrfguard.Rotate) is a boolean >>> value that determines if >>> +# CSRFGuard should generate and utilize a new token after verifying the >>> previous token. Rotation >>> +# helps minimize the window of opportunity an attacker has to leverage >>> the victim's stolen token >>> +# in a targeted CSRF attack. However, this functionality generally >>> causes >>> navigation problems in >>> +# most applications. Specifically, the 'Back' button in the browser will >>> often cease to function >>> +# properly. When a user hits the 'Back' button and interacts with the >>> HTML, the browser may submit >>> +# an old token causing CSRFGuard to incorrectly believe this request is >>> a >>> CSRF attack in progress >>> +# (i.e. a 'false positive'). Users can prevent this scenario by >>> preventing the caching of HTML pages >>> +# containing FORM submissions using the cache-control header. However, >>> this may also introduce >>> +# performance problems as the browser will have to request HTML on a >>> more >>> frequent basis. The following >>> +# configuration snippet enables token rotation: >>> +# >>> +# org.owasp.csrfguard.Rotate=true >>> + >>> +# Ajax and XMLHttpRequest Support >>> +# >>> +# The Ajax property (org.owasp.csrfguard.Ajax) is a boolean value that >>> indicates whether or not OWASP >>> +# CSRFGuard should support the injection and verification of unique >>> per-session prevention tokens for >>> +# XMLHttpRequests. To leverage Ajax support, the user must not only set >>> this property to true but must >>> +# also reference the JavaScript DOM Manipulation code using a script >>> element. This dynamic script will >>> +# override the send method of the XMLHttpRequest object to ensure the >>> submission of an X-Requested-With >>> +# header name value pair coupled with the submission of a custom header >>> name value pair for each request. >>> +# The name of the custom header is the value of the token name property >>> and the value of the header is >>> +# always the unique per-session token value. This custom header is >>> analogous to the HTTP parameter name >>> +# value pairs submitted via traditional GET and POST requests. If the >>> X-Requested-With header was sent >>> +# in the HTTP request, then CSRFGuard will look for the presence and >>> ensure the validity of the unique >>> +# per-session token in the custom header name value pair. Note that >>> verification of these headers takes >>> +# precedence over verification of the CSRF token supplied as an HTTP >>> parameter. More specifically, >>> +# CSRFGuard does not verify the presence of the CSRF token if the Ajax >>> support property is enabled and >>> +# the corresponding X-Requested-With and custom headers are embedded >>> within the request. The following >>> +# configuration snippet instructs OWASP CSRFGuard to support Ajax >>> requests by verifying the presence and >>> +# correctness of the X-Requested-With and custom headers: >>> +# >>> +# org.owasp.csrfguard.Ajax=true >>> +org.owasp.csrfguard.Ajax=true >>> + >>> +# The default behavior of CSRFGuard is to protect all pages. Pages >>> marked >>> as unprotected will not be protected. >>> +# If the Protect property is enabled, this behavior is reversed. Pages >>> must be marked as protected to be protected. >>> +# All other pages will not be protected. This is useful when the >>> CsrfGuardFilter is aggressively mapped (ex: /*), >>> +# but you only want to protect a few pages. >>> +# >>> +# org.owasp.csrfguard.Protect=true >>> + >>> +# Unprotected Pages: >>> +# >>> +# The unprotected pages property (org.owasp.csrfguard.unprotected.*) >>> defines a series of pages that >>> +# should not be protected by CSRFGuard. Such configurations are useful >>> when the CsrfGuardFilter is >>> +# aggressively mapped (ex: /*). The syntax of the property name is >>> org.owasp.csrfguard.unprotected.[PageName], >>> +# where PageName is some arbitrary identifier that can be used to >>> reference a resource. The syntax of >>> +# defining the uri of unprotected pages is the same as the syntax used >>> by >>> the JavaEE container for uri mapping. >>> +# Specifically, CSRFGuard will identify the first match (if any) between >>> the requested uri and an unprotected >>> +# page in order of declaration. Match criteria is as follows: >>> +# >>> +# Case 1: exact match between request uri and unprotected page >>> +# Case 2: longest path prefix match, beginning / and ending /* >>> +# Case 3: extension match, beginning *. >>> +# Case 4: if the value starts with ^ and ends with $, it will be >>> evaulated as a regex. Note that before the >>> +# regex is compiled, any common variables will be substituted (e.g. >>> %servletContext%) >>> +# Default: requested resource must be validated by CSRFGuard >>> +# >>> +# The following code snippet illustrates the four use cases over four >>> examples. The first two examples >>> +# (Tag and JavaScriptServlet) look for direct URI matches. The third >>> example (Html) looks for all resources >>> +# ending in a .html extension. The next example (Public) looks for all >>> resources prefixed with the URI path /MySite/Public/*. >>> +# The last example looks for resources that end in Public.do >>> +# >>> +# org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp >>> +# org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/ >>> JavaScriptServlet >>> +# org.owasp.csrfguard.unprotected.Html=*.html >>> +# org.owasp.csrfguard.unprotected.Public=%servletContext%/Public/* >>> +# regex example starts with ^ and ends with $, and the %servletContext% >>> is evaluated before the regex >>> +# org.owasp.csrfguard.unprotected.PublicServlet=^% >>> servletContext%/.*Public\.do$ >>> + >>> +#org.owasp.csrfguard.unprotected.Default=%servletContext%/ >>> +#org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html >>> +org.owasp.csrfguard.unprotected.JavaScriptServlet= >>> %servletContext%/control/JavaScriptServlet >>> +#org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html >>> +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html >>> +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.jsp >>> +#org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html >>> +#org.owasp.csrfguard.unprotected.JavaScript=%servletContext >>> %/javascript. >>> html >>> +#org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp >>> +#org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp >>> +#org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp >>> +#org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp >>> +org.owasp.csrfguard.unprotected.Session=%servletContext%/favicon.ico >>> +org.owasp.csrfguard.unprotected.Session=%servletContext%/ >>> control/login/* >>> +org.owasp.csrfguard.unprotected.Index=%servletContext%/index.jsp >>> + >>> +# Actions: Responding to Attacks >>> +# >>> +# The actions directive (org.owasp.csrfguard.action.*) gives the user >>> the >>> ability to specify one or more >>> +# actions that should be invoked when a CSRF attack is detected. Every >>> action must implement the >>> +# org.owasp.csrfguard.action.IAction interface either directly or >>> indirectly through the >>> +# org.owasp.csrfguard.action.AbstractAction helper class. Many actions >>> accept parameters that can be specified >>> +# along with the action class declaration. These parameters are consumed >>> at runtime and impact the behavior of >>> +# the associated action. >>> +# >>> +# The syntax for defining and configuring CSRFGuard actions is >>> relatively >>> straight forward. Let us assume we wish >>> +# to redirect the user to a default page when a CSRF attack is detected. >>> A redirect action already exists within >>> +# the CSRFGuard bundle and is available via the class name >>> org.owasp.csrfguard.actions.Redirect. In order to enable >>> +# this action, we capture the following declaration in the >>> Owasp.CsrfGuard.properties file: >>> +# >>> +# syntax: org.owasp.csrfguard.action.[actionName]=[className] >>> +# example: org.owasp.csrfguard.action.class.Redirect=org.owasp. >>> csrfguard.actions.Redirect >>> +# >>> +# The aforementioned directive declares an action called "Redirect" >>> (i.e. >>> [actionName]) referencing the Java class >>> +# "org.owasp.csrfguard.actions.Redirect" (i.e. [className]). Anytime a >>> CSRF attack is detected, the Redirect action >>> +# will be executed. You may be asking yourself, "but how do I specify >>> where the user is redirected?"; this is where >>> +# action parameters come into play. In order to specify the redirect >>> location, we capture the following declaration >>> +# in the Owasp.CsrfGuard.properties file: >>> +# >>> +# syntax: org.owasp.csrfguard.action.[actionName].[parameterName]=[ >>> parameterValue] >>> +# example: org.owasp.csrfguard.action.Redirect.ErrorPage=% >>> servletContext%/error.html >>> +# >>> +# The aforementioned directive declares an action parameter called >>> "ErrorPage" (i.e. [parameterName]) with the value >>> +# of "%servletContext%/error.html" (i.e. [parameterValue]) for the >>> action >>> "Redirect" (i.e. [actionName]). The >>> +# Redirect action expects the "ErrorPage" parameter to be defined and >>> will redirect the user to this location when >>> +# an attack is detected. >>> +# >>> +#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty >>> +org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log >>> +org.owasp.csrfguard.action.Log.Message=potential cross-site request >>> forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, >>> method:%request_method%, uri:%request_uri%, error:%exception_message%) >>> +#org.owasp.csrfguard.action.Invalidate=org.owasp. >>> csrfguard.action.Invalidate >>> +#org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.ac >>> tion.Redirect >>> +#org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html >>> +#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrf >>> guard.action. >>> RequestAttribute >>> +#org.owasp.csrfguard.action.RequestAttribute. >>> AttributeName=Owasp_CsrfGuard_Exception_Key >>> +#org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate >>> +org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action. >>> SessionAttribute >>> +org.owasp.csrfguard.action.SessionAttribute. >>> AttributeName=Owasp_CsrfGuard_Exception_Key >>> +#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error >>> +#org.owasp.csrfguard.action.Error.Code=403 >>> +#org.owasp.csrfguard.action.Error.Message=Security violation. >>> + >>> +# Token Name >>> +# >>> +# The token name property (org.owasp.csrfguard.TokenName) defines the >>> name of the HTTP parameter >>> +# to contain the value of the OWASP CSRFGuard token for each request. >>> The >>> following configuration >>> +# snippet sets the CSRFGuard token parameter name to the value >>> OWASP_CSRFTOKEN: >>> +# >>> +# org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN >>> +org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN >>> + >>> +# Session Key >>> +# >>> +# The session key property (org.owasp.csrfguard.SessionKey) defines the >>> string literal used to save >>> +# and lookup the CSRFGuard token from the session. This value is used by >>> the filter and the tag >>> +# libraries to retrieve and set the token value in the session. >>> Developers can use this key to >>> +# programmatically lookup the token within their own code. The following >>> configuration snippet sets >>> +# the session key to the value OWASP_CSRFTOKEN: >>> +# >>> +# org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN >>> +org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN >>> + >>> +# Token Length >>> +# >>> +# The token length property (org.owasp.csrfguard.TokenLength) defines >>> the number of characters that >>> +# should be found within the CSRFGuard token. Note that characters are >>> delimited by dashes (-) in groups >>> +# of four. For cosmetic reasons, users are encourage to ensure the token >>> length is divisible by four. >>> +# The following configuration snippet sets the token length property to >>> 32 characters: >>> +# >>> +# org.owasp.csrfguard.TokenLength=32 >>> +org.owasp.csrfguard.TokenLength=32 >>> + >>> +# Pseudo-random Number Generator >>> +# >>> +# The pseudo-random number generator property (org.owasp.csrfguard.PRNG) >>> defines what PRNG should be used >>> +# to generate the OWASP CSRFGuard token. Always ensure this value >>> references a cryptographically strong >>> +# pseudo-random number generator algorithm. The following configuration >>> snippet sets the pseudo-random number >>> +# generator to SHA1PRNG: >>> +# >>> +# org.owasp.csrfguard.PRNG=SHA1PRNG >>> +org.owasp.csrfguard.PRNG=SHA1PRNG >>> + >>> +# Pseudo-random Number Generator Provider >>> + >>> +# The pseudo-random number generator provider property >>> (org.owasp.csrfguard.PRNG.Provider) defines which >>> +# provider's implementation of org.owasp.csrfguard.PRNG we should >>> utilize. The following configuration >>> +# snippet instructs the JVM to leverage SUN's implementation of the >>> algorithm denoted by the >>> +# org.owasp.csrfguard.PRNG property: >>> + >>> +# org.owasp.csrfguard.PRNG.Provider=SUN >>> +org.owasp.csrfguard.PRNG.Provider=SUN >>> + >>> +# If not specifying the print config option in the web.xml, you can >>> specify it here, to print the config >>> +# on startup >>> +org.owasp.csrfguard.Config.Print = true >>> + >>> +########################### >>> +## Javascript servlet settings if not set in web.xml >>> +## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection >>> +########################### >>> + >>> +# leave this blank and blank in web.xml and it will read from >>> META-INF/csrfguard.js from the jarfile >>> +# Denotes the location of the JavaScript template file that should be >>> consumed and dynamically >>> +# augmented by the JavaScriptServlet class. The default value is >>> WEB-INF/Owasp.CsrfGuard.js. >>> +# Use of this property and the existence of the specified template file >>> is required. >>> +#org.owasp.csrfguard.JavascriptServlet.sourceFile = >>> WEB-INF/Owasp.CsrfGuard.js >>> +org.owasp.csrfguard.JavascriptServlet.sourceFile = >>> WEB-INF/Owasp.CsrfGuard.js >>> + >>> +# Boolean value that determines whether or not the dynamic JavaScript >>> code should be strict >>> +# with regards to what links it should inject the CSRF prevention token. >>> With a value of true, >>> +# the JavaScript code will only place the token in links that point to >>> the same exact domain >>> +# from which the HTML originated. With a value of false, the JavaScript >>> code will place the >>> +# token in links that not only point to the same exact domain from which >>> the HTML originated, >>> +# but sub-domains as well. >>> +org.owasp.csrfguard.JavascriptServlet.domainStrict = true >>> + >>> +# Allows the developer to specify the value of the Cache-Control header >>> in the HTTP response >>> +# when serving the dynamic JavaScript file. The default value is >>> private, >>> maxage=28800. >>> +# Caching of the dynamic JavaScript file is intended to minimize traffic >>> and improve performance. >>> +# Note that the Cache-Control header is always set to "no-store" when >>> either the "Rotate" >>> +# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties. >>> +org.owasp.csrfguard.JavascriptServlet.cacheControl = private, >>> maxage=28800 >>> + >>> +# Allows the developer to specify a regular expression describing the >>> required value of the >>> +# Referer header. Any attempts to access the servlet with a Referer >>> header that does not >>> +# match the captured expression is discarded. Inclusion of referer >>> header >>> checking is to >>> +# help minimize the risk of JavaScript Hijacking attacks that attempt to >>> steal tokens from >>> +# the dynamically generated JavaScript. While the primary defenses >>> against JavaScript >>> +# Hijacking attacks are implemented within the dynamic JavaScript >>> itself, >>> referer header >>> +# checking is implemented to achieve defense in depth. >>> +org.owasp.csrfguard.JavascriptServlet.refererPattern = .* >>> + >>> +# Similar to javascript servlet referer pattern, but this will make sure >>> the referer of the >>> +# javascript servlet matches the domain of the request. If there is no >>> referer (proxy strips it?) >>> +# then it will not fail. Generally this is a good idea to be true. >>> +org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true >>> + >>> +# Boolean value that determines whether or not the dynamic JavaScript >>> code should >>> +# inject the CSRF prevention token as a hidden field into HTML forms. >>> The >>> default >>> +# value is true. Developers are strongly discouraged from disabling this >>> property >>> +# as most server-side state changing actions are triggered via a POST >>> request. >>> +org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true >>> + >>> +# if the token should be injected in GET forms (which will be on the >>> URL) >>> +# if the HTTP method GET is unprotected, then this should likely be >>> false >>> +org.owasp.csrfguard.JavascriptServlet.injectGetForms = true >>> + >>> +# if the token should be injected in the action in forms >>> +# note, if injectIntoForms is true, then this might not need to be true >>> +org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true >>> + >>> + >>> +# Boolean value that determines whether or not the dynamic JavaScript >>> code should >>> +# inject the CSRF prevention token in the query string of src and href >>> attributes. >>> +# Injecting the CSRF prevention token in a URL resource increases its >>> general risk >>> +# of exposure to unauthorized parties. However, most JavaEE web >>> applications respond >>> +# in the exact same manner to HTTP requests and their associated >>> parameters regardless >>> +# of the HTTP method. The risk associated with not protecting GET >>> requests in this >>> +# situation is perceived greater than the risk of exposing the token in >>> protected GET >>> +# requests. As a result, the default value of this attribute is set to >>> true. Developers >>> +# that are confident their server-side state changing controllers will >>> only respond to >>> +# POST requests (i.e. discarding GET requests) are strongly encouraged >>> to >>> disable this property. >>> +org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true >>> + >>> + >>> +org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard >>> Project >>> + >>> +########################### >>> +## Config overlay settings if you have the provider above set to >>> ConfigurationOverlayProvider >>> +## This CSRF config provider uses Internet2 Configuration Overlays >>> (documented on Internet2 wiki) >>> +## By default the configuration is read from the >>> Owasp.CsrfGuard.properties >>> +## (which should not be edited), and the Owasp.CsrfGuard.overlay.proper >>> ties >>> overlays >>> +## the base settings. See the Owasp.CsrfGuard.properties for the >>> possible >>> +## settings that can be applied to the Owasp.CsrfGuard.overlay.proper >>> ties >>> +########################### >>> + >>> +# comma separated config files that override each other (files on the >>> right override the left) >>> +# each should start with file: or classpath: >>> +# e.g. classpath:Owasp.CsrfGuard.properties, >>> file:c:/temp/myFile.properties >>> +org.owasp.csrfguard.configOverlay.hierarchy = >>> classpath:Owasp.CsrfGuard.properties, >>> classpath:Owasp.CsrfGuard.overlay.properties >>> + >>> +# seconds between checking to see if the config files are updated >>> +org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60 >>> + >>> + >>> +########################### >>> + >>> >>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- >>> INF/Owasp.CsrfGuard.properties >>> ------------------------------------------------------------ >>> ------------------ >>> svn:eol-style = native >>> >>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- >>> INF/Owasp.CsrfGuard.properties >>> ------------------------------------------------------------ >>> ------------------ >>> svn:keywords = Date Rev Author URL Id >>> >>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB- >>> INF/Owasp.CsrfGuard.properties >>> ------------------------------------------------------------ >>> ------------------ >>> svn:mime-type = text/plain >>> >>> >>> >>> > |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |