[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF

    [ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16498968#comment-16498968 ]

Jacques Le Roux commented on OFBIZ-10427:
-----------------------------------------

I have recently worked again on this topic, trying to set the Tomcat CSRF filter. I did not succeed yet and here are some causes.

As said in the documentation
{quote}This filter provides basic CSRF protection for a web application. The filter assumes that it is mapped to /* and that all URLs returned to the client are encoded via a call to HttpServletResponse#encodeRedirectURL(String) or HttpServletResponse#encodeURL(String).
{quote}
So I initially used the simplest web.xml configuration in webtools only, w/o <init-param> putting <filter> and <filter-mapping> at last position.
{code:java}
    <filter>
        <display-name>CSRFPreventionFilter</display-name>
        <filter-name>CSRFPreventionFilter</filter-name>
        <filter-class&gt;org.apache.catalina.filters.CsrfPreventionFilter</filter-class&gt;
    </filter>
    <filter-mapping>
        <filter-name>CSRFPreventionFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
{code}
And I checked we are encoding as requested. It' s not the case so I did these changes to only test:
{code:java}
Index: ControlFilter.java
===================================================================
--- ControlFilter.java (revision 1832691)
+++ ControlFilter.java (working copy)
@@ -111,10 +111,11 @@
             if (httpRequest.getSession().getAttribute("_FORCE_REDIRECT_") == null) {
                 httpRequest.getSession().setAttribute("_FORCE_REDIRECT_", "true");
                 Debug.logWarning("Redirecting user to: " + redirectPath, module);
+
                 if (redirectPathIsUrl) {
-                    httpResponse.sendRedirect(redirectPath);
+                    httpResponse.sendRedirect(((HttpServletResponse) response).encodeRedirectURL(redirectPath));
                 } else {
-                    httpResponse.sendRedirect(httpRequest.getContextPath() + redirectPath);
+                    httpResponse.sendRedirect(((HttpServletResponse) response).encodeRedirectURL(httpRequest.getContextPath() + redirectPath));
                 }
                 return;
             } else {
@@ -143,9 +144,9 @@
                         httpResponse.sendError(errorCode, httpRequest.getRequestURI());
                     } else {
                         if (redirectPathIsUrl) {
-                            httpResponse.sendRedirect(redirectPath);
+                            httpResponse.sendRedirect(((HttpServletResponse) response).encodeRedirectURL(redirectPath));
                         } else {
-                            httpResponse.sendRedirect(httpRequest.getContextPath() + redirectPath);
+                            httpResponse.sendRedirect(((HttpServletResponse) response).encodeRedirectURL(httpRequest.getContextPath() + redirectPath));
                         }
                     }
                     if (Debug.infoOn()) {
Index: RequestHandler.java
===================================================================
--- RequestHandler.java (revision 1832691)
+++ RequestHandler.java (working copy)
@@ -1180,7 +1180,7 @@
         newURL.append(url);

         String encodedUrl;
-        if (encode) {
+        if (true) {
             encodedUrl = response.encodeURL(newURL.toString());
         } else {
             encodedUrl = newURL.toString();
{code}
with no avail. I always got a 403:
{code:java}
HTTP Status 403 | Forbidden
Type Status Report
Description The server understood the request but refuses to authorize it.
Apache Tomcat/9.0.7
{code}
So I tried to put the filter at the top, same issue. Then I began to add entryPoints in <init-param>, knowing that they don't support wildcards (so in a way it's quite limited). The last set I tried was
{code:java}
    <param-name>entryPoints</param-name>
    <param-value>/catalog/control/main,/webtools/control/main,/webtools/control/login</param-value>
{code}
I put _/catalog/control/main_ because I initially tried to come from there. I then tried manually _/webtools/control/login_ and _/webtools/control/main_ same issue.


 Desesperately I then set a huge nonceCacheSize (every call create a nonce, for instance js, css, img, etc.) and if one of them it's OK then it's OK (not totally sure of that, but anyway with a large cache more is allowed)
{code:java}
    <param-name>nonceCacheSize</param-name>
    <param-value>100</param-value>
{code}
Still no success.

I stopped there for now but I'll continue to try if a way is possible. I think the best would be to adapt the CsrfPreventionFilter class to our need. I did not look at the source in detail yet, let's see...



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)