continuum-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From br...@apache.org
Subject svn commit: r1066010 - in /continuum/branches/continuum-1.3.x: continuum-docs/src/site/apt/administrator_guides/security/customising-security.apt continuum-webapp/src/main/resources/struts.xml pom.xml
Date Tue, 01 Feb 2011 11:49:57 GMT
Author: brett
Date: Tue Feb  1 11:49:57 2011
New Revision: 1066010

URL: http://svn.apache.org/viewvc?rev=1066010&view=rev
Log:
[CONTINUUM-2603] [CVE-2010-3449] CSRF vulnerability - Continuum doesn't check which form sends
credentials
- update to Redback 1.2.4

Modified:
    continuum/branches/continuum-1.3.x/continuum-docs/src/site/apt/administrator_guides/security/customising-security.apt
    continuum/branches/continuum-1.3.x/continuum-webapp/src/main/resources/struts.xml
    continuum/branches/continuum-1.3.x/pom.xml

Modified: continuum/branches/continuum-1.3.x/continuum-docs/src/site/apt/administrator_guides/security/customising-security.apt
URL: http://svn.apache.org/viewvc/continuum/branches/continuum-1.3.x/continuum-docs/src/site/apt/administrator_guides/security/customising-security.apt?rev=1066010&r1=1066009&r2=1066010&view=diff
==============================================================================
--- continuum/branches/continuum-1.3.x/continuum-docs/src/site/apt/administrator_guides/security/customising-security.apt
(original)
+++ continuum/branches/continuum-1.3.x/continuum-docs/src/site/apt/administrator_guides/security/customising-security.apt
Tue Feb  1 11:49:57 2011
@@ -50,3 +50,19 @@ security.policy.password.rule.nowhitespa
  can be found in:
  <<<$CONTINUUM_HOME/apps/continuum/webapp/WEB-INF/classes/META-INF/plexus/application.xml>>>
 
+* Additional CSRF Prevention
+
+  To help prevent cross-site request forgery, it is possible to enable a basic check that
the referrer is the current
+  site.
+
+  <Note:> This is only a generic solution that may prevent some types of attacks but
not others. It may cause problems
+  with certain user agents. By default, the check is off.
+
+  To enable the check, change the following configuration value in the <<<struts.xml>>>
file in the <<<WEB-INF/classes>>>
+  directory of the web application (2 locations):
+
+----
+<interceptor-ref name="redbackSecureActions">
+  <param name="enableReferrerCheck">false</param>
+</interceptor-ref>
+----

Modified: continuum/branches/continuum-1.3.x/continuum-webapp/src/main/resources/struts.xml
URL: http://svn.apache.org/viewvc/continuum/branches/continuum-1.3.x/continuum-webapp/src/main/resources/struts.xml?rev=1066010&r1=1066009&r2=1066010&view=diff
==============================================================================
--- continuum/branches/continuum-1.3.x/continuum-webapp/src/main/resources/struts.xml (original)
+++ continuum/branches/continuum-1.3.x/continuum-webapp/src/main/resources/struts.xml Tue
Feb  1 11:49:57 2011
@@ -42,7 +42,9 @@
         <interceptor-ref name="redbackForceAdminUser"/>
         <interceptor-ref name="redbackAutoLogin"/>
         <interceptor-ref name="defaultStack"/>
-        <interceptor-ref name="redbackSecureActions"/>
+        <interceptor-ref name="redbackSecureActions">
+          <param name="enableReferrerCheck">false</param>
+        </interceptor-ref>
         <interceptor-ref name="redbackPolicyEnforcement"/>
         <interceptor-ref name="continuumConfigurationCheck"/>
         <interceptor-ref name="validation">
@@ -59,7 +61,9 @@
         <interceptor-ref name="redbackAutoLogin"/>
         <interceptor-ref name="defaultStack"/>
         <interceptor-ref name="redbackPolicyEnforcement"/>
-        <interceptor-ref name="redbackSecureActions"/>
+        <interceptor-ref name="redbackSecureActions">
+          <param name="enableReferrerCheck">false</param>
+        </interceptor-ref>
         <interceptor-ref name="validation">
           <param name="excludeMethods">input,back,cancel,browse,edit</param>
         </interceptor-ref>

Modified: continuum/branches/continuum-1.3.x/pom.xml
URL: http://svn.apache.org/viewvc/continuum/branches/continuum-1.3.x/pom.xml?rev=1066010&r1=1066009&r2=1066010&view=diff
==============================================================================
--- continuum/branches/continuum-1.3.x/pom.xml (original)
+++ continuum/branches/continuum-1.3.x/pom.xml Tue Feb  1 11:49:57 2011
@@ -1669,7 +1669,7 @@ under the License.
     <spring.version>2.5.6</spring.version>
     <wagon.version>1.0-beta-2</wagon.version>
     <maven-scm.version>1.1</maven-scm.version>
-    <redback.version>1.2.3</redback.version>
+    <redback.version>1.2.4</redback.version>
     <archiva.version>1.2.1</archiva.version>
     <slf4jVersion>1.5.8</slf4jVersion>
     <xmlrpc.version>3.1</xmlrpc.version>



Mime
View raw message