OFBiz OFBiz - Notifications

[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17007970#comment-17007970 ]

Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------

h6. ecommerce

When quick checking out, at the end of the process I get
bq. https://localhost:8443/ecomseo/processorder?checkoutpage=quick

{noformat}
ERROR in error page, (infinite loop or error page not found with name [/error/error.jsp]
Original error detected, maybe it would be helps you : Invalid or missing CSRF token to path '/processorder'. Click here to continue.
{noformat}


{noformat}
2020-01-04 11:21:36,151 |jsse-nio-8443-exec-3 |SeoContextFilter              |I| Can NOT forward this url: /ecomseo/processorder?checkoutpage=quick
2020-01-04 11:21:36,191 |jsse-nio-8443-exec-3 |ConfigXMLReader               |I| controller loaded: 0.01s, 286 requests, 95 views in file:/C:/projectsASF/Git/ofbiz-framework/plugins/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
2020-01-04 11:21:36,191 |jsse-nio-8443-exec-3 |ConfigXMLReader               |I| controller loaded: 0.02s, 1 requests, 0 views in file:/C:/projectsASF/Git/ofbiz-framework/plugins/ecommerce/webapp/ecomseo/WEB-INF/controller.xml
2020-01-04 11:21:36,191 |jsse-nio-8443-exec-3 |ControlServlet                |T| [[[ecomseo::processorder (Domain:https://localhost)] Request Begun, encoding=[UTF-8]- total:0.0,since last(Begin):0.0]]
2020-01-04 11:21:36,191 |jsse-nio-8443-exec-3 |ControlServlet                |I| Going to external page: /processorder
2020-01-04 11:21:36,191 |jsse-nio-8443-exec-3 |ControlServlet                |E| An error occurred, going to the errorPage: /error/error.jsp
2020-01-04 11:21:36,191 |jsse-nio-8443-exec-3 |ControlServlet                |E| Including errorPage: /error/error.jsp
2020-01-04 11:21:36,191 |jsse-nio-8443-exec-3 |ControlServlet                |T| [[[ecomseo::processorder (Domain:https://localhost)] Request Begun, encoding=[UTF-8]- total:0.0,since last(Begin):0.0]]
2020-01-04 11:21:36,191 |jsse-nio-8443-exec-3 |ControlServlet                |I| Going to external page: /processorder
2020-01-04 11:21:36,191 |jsse-nio-8443-exec-3 |ControlServlet                |E| An error occurred, going to the errorPage: /error/error.jsp
2020-01-04 11:21:36,191 |jsse-nio-8443-exec-3 |ServerHitBin                  |I| Visit delegatorName=default, ServerHitBin delegatorName=default
2020-01-04 11:21:36,191 |jsse-nio-8443-exec-3 |ControlServlet                |T| [[[ecomseo::processorder (Domain:https://localhost)] Request Done- total:0.0,since last([ecomseo::process...):0.0]]
2020-01-04 11:21:36,191 |jsse-nio-8443-exec-3 |ServerHitBin                  |I| Visit delegatorName=default, ServerHitBin delegatorName=default
2020-01-04 11:21:36,201 |jsse-nio-8443-exec-3 |TransactionUtil               |W| Calling transaction setRollbackOnly; this stack trace shows where this is happening:
java.lang.Exception: rollback called in Entity Engine SQLProcessor
        at org.apache.ofbiz.entity.transaction.TransactionUtil.setRollbackOnly(TransactionUtil.java:358) [main/:?]
        at org.apache.ofbiz.entity.jdbc.SQLProcessor.rollback(SQLProcessor.java:185) [main/:?]
        at org.apache.ofbiz.entity.datasource.GenericDAO.insert(GenericDAO.java:112) [main/:?]
        at org.apache.ofbiz.entity.datasource.GenericHelperDAO.create(GenericHelperDAO.java:67) [main/:?]
        at org.apache.ofbiz.entity.GenericDelegator.create(GenericDelegator.java:855) [main/:?]
        at org.apache.ofbiz.entity.GenericValue.create(GenericValue.java:76) [main/:?]
        at org.apache.ofbiz.webapp.stats.ServerHitBin.saveHit(ServerHitBin.java:530) [main/:?]
        at org.apache.ofbiz.webapp.stats.ServerHitBin.countHit(ServerHitBin.java:247) [main/:?]
        at org.apache.ofbiz.webapp.stats.ServerHitBin.countHit(ServerHitBin.java:97) [main/:?]
        at org.apache.ofbiz.webapp.stats.ServerHitBin.countRequest(ServerHitBin.java:75) [main/:?]
        at org.apache.ofbiz.webapp.control.ControlServlet.handle(ControlServlet.java:368) [main/:?]
        at org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:96) [main/:?]
        at org.apache.ofbiz.product.category.SeoControlServlet.doGet(SeoControlServlet.java:88) [main/:?]
{noformat}

Generating the CSRF token (clicking on "here" in the error screen) does not help: the order is not generated

> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token field.
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to X-CSRF-Token in request header.
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token check during Ajax POST call.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Free forum by Nabble Edit this page