ofbiz-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jler...@apache.org
Subject svn commit: r1719762 - in /ofbiz/trunk: applications/marketing/src/org/ofbiz/marketing/tracking/ applications/order/src/org/ofbiz/order/shoppinglist/ applications/securityext/src/org/ofbiz/securityext/login/ framework/webapp/src/org/ofbiz/webapp/contro...
Date Sun, 13 Dec 2015 05:07:47 GMT
Author: jleroux
Date: Sun Dec 13 05:07:47 2015
New Revision: 1719762

URL: http://svn.apache.org/viewvc?rev=1719762&view=rev
Log:
4th step for "Secure HTTP headers" https://issues.apache.org/jira/browse/OFBIZ-6766

The secure flag on cookies instructs the browser to only submit the cookie as part of requests
over secure (HTTPS) connections. This prevents the cookie from being observed as plain text
in transit over the network.
The HttpOnly flag instructs the browser that this cookie can only be accessed when sending
an HTTP request. This prevents scripts running as part of a page from retrieving the value
and is a defense against XSS attacks.

Modified:
    ofbiz/trunk/applications/marketing/src/org/ofbiz/marketing/tracking/TrackingCodeEvents.java
    ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppinglist/ShoppingListEvents.java
    ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/stats/VisitHandler.java

Modified: ofbiz/trunk/applications/marketing/src/org/ofbiz/marketing/tracking/TrackingCodeEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/marketing/src/org/ofbiz/marketing/tracking/TrackingCodeEvents.java?rev=1719762&r1=1719761&r2=1719762&view=diff
==============================================================================
--- ofbiz/trunk/applications/marketing/src/org/ofbiz/marketing/tracking/TrackingCodeEvents.java
(original)
+++ ofbiz/trunk/applications/marketing/src/org/ofbiz/marketing/tracking/TrackingCodeEvents.java
Sun Dec 13 05:07:47 2015
@@ -31,14 +31,14 @@ import org.ofbiz.base.util.Debug;
 import org.ofbiz.base.util.UtilDateTime;
 import org.ofbiz.base.util.UtilMisc;
 import org.ofbiz.base.util.UtilValidate;
-import org.ofbiz.webapp.stats.VisitHandler;
-import org.ofbiz.webapp.website.WebSiteWorker;
 import org.ofbiz.entity.Delegator;
 import org.ofbiz.entity.GenericEntityException;
 import org.ofbiz.entity.GenericValue;
 import org.ofbiz.entity.util.EntityQuery;
 import org.ofbiz.entity.util.EntityUtilProperties;
 import org.ofbiz.product.category.CategoryWorker;
+import org.ofbiz.webapp.stats.VisitHandler;
+import org.ofbiz.webapp.website.WebSiteWorker;
 
 /**
  * Events used for maintaining TrackingCode related information
@@ -228,6 +228,8 @@ public class TrackingCodeEvents {
             if (trackableLifetime.longValue() > 0) trackableCookie.setMaxAge(trackableLifetime.intValue());
             trackableCookie.setPath("/");
             if (cookieDomain.length() > 0) trackableCookie.setDomain(cookieDomain);
+            trackableCookie.setSecure(true);
+            trackableCookie.setHttpOnly(true);
             response.addCookie(trackableCookie);
         }
 
@@ -238,6 +240,8 @@ public class TrackingCodeEvents {
             if (billableLifetime.longValue() > 0) billableCookie.setMaxAge(billableLifetime.intValue());
             billableCookie.setPath("/");
             if (cookieDomain.length() > 0) billableCookie.setDomain(cookieDomain);
+            billableCookie.setSecure(true);
+            billableCookie.setHttpOnly(true);
             response.addCookie(billableCookie);
         }
 
@@ -264,13 +268,17 @@ public class TrackingCodeEvents {
                 siteIdCookie.setMaxAge(siteIdCookieAge);
                 siteIdCookie.setPath("/");
                 if (cookieDomain.length() > 0) siteIdCookie.setDomain(cookieDomain);
-                    response.addCookie(siteIdCookie);
+                siteIdCookie.setSecure(true);
+                siteIdCookie.setHttpOnly(true);
+                response.addCookie(siteIdCookie);
                 // if trackingCode.siteId is  not null  write a trackable cookie with name
in the form: Ofbiz.TKCSiteId and timeout will be 60 * 60 * 24 * 365
                 Cookie updatedTimeStampCookie = new Cookie("Ofbiz.TKCD.UpdatedTimeStamp"
,UtilDateTime.nowTimestamp().toString());
                 updatedTimeStampCookie.setMaxAge(siteIdCookieAge);
                 updatedTimeStampCookie.setPath("/");
                 if (cookieDomain.length() > 0) updatedTimeStampCookie.setDomain(cookieDomain);
-                    response.addCookie(updatedTimeStampCookie);
+                updatedTimeStampCookie.setSecure(true);
+                updatedTimeStampCookie.setHttpOnly(true);
+                response.addCookie(updatedTimeStampCookie);
             }
         }
 

Modified: ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppinglist/ShoppingListEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppinglist/ShoppingListEvents.java?rev=1719762&r1=1719761&r2=1719762&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppinglist/ShoppingListEvents.java
(original)
+++ ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppinglist/ShoppingListEvents.java
Sun Dec 13 05:07:47 2015
@@ -669,6 +669,8 @@ public class ShoppingListEvents {
                 Cookie guestShoppingListCookie = new Cookie(guestShoppingUserName, autoSaveListId);
                 guestShoppingListCookie.setMaxAge(cookieAge);
                 guestShoppingListCookie.setPath("/");
+                guestShoppingListCookie.setSecure(true);
+                guestShoppingListCookie.setHttpOnly(true);
                 response.addCookie(guestShoppingListCookie);
             } 
         }
@@ -692,6 +694,8 @@ public class ShoppingListEvents {
         Cookie guestShoppingListCookie = new Cookie(guestShoppingUserName, null);
         guestShoppingListCookie.setMaxAge(0);
         guestShoppingListCookie.setPath("/");
+        guestShoppingListCookie.setSecure(true);
+        guestShoppingListCookie.setHttpOnly(true);
         response.addCookie(guestShoppingListCookie);
         return "success";
     }

Modified: ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java?rev=1719762&r1=1719761&r2=1719762&view=diff
==============================================================================
--- ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
(original)
+++ ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
Sun Dec 13 05:07:47 2015
@@ -430,6 +430,8 @@ public class LoginEvents {
                 cookie.setMaxAge(60 * 60 * 24 * 365);
                 cookie.setPath("/");
                 cookie.setDomain(domain);
+                cookie.setSecure(true);
+                cookie.setHttpOnly(true);
                 response.addCookie(cookie);
             }
         }

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java?rev=1719762&r1=1719761&r2=1719762&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java Sun Dec 13
05:07:47 2015
@@ -763,6 +763,8 @@ public class LoginWorker {
             autoLoginCookie.setMaxAge(60 * 60 * 24 * 365);
             autoLoginCookie.setDomain(domain);
             autoLoginCookie.setPath("/");
+            autoLoginCookie.setSecure(true);
+            autoLoginCookie.setHttpOnly(true);
             response.addCookie(autoLoginCookie);
             return autoLoginCheck(delegator, session, userLogin.getString("userLoginId"));
         } else {
@@ -833,6 +835,8 @@ public class LoginWorker {
             Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), userLogin.getString("userLoginId"));
             autoLoginCookie.setMaxAge(0);
             autoLoginCookie.setPath("/");
+            autoLoginCookie.setSecure(true);
+            autoLoginCookie.setHttpOnly(true);
             response.addCookie(autoLoginCookie);
         }
         // remove the session attributes

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1719762&r1=1719761&r2=1719762&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Sun Dec
13 05:07:47 2015
@@ -1000,14 +1000,25 @@ public class RequestHandler {
                 resp.addHeader("strict-transport-security", strictTransportSecurity);
             }
         } else {
-            if (EntityUtilProperties.getPropertyAsBoolean("requestHandler", "strict-transport-security",
true)) { // FIXME later pass req.getAttribute("delegator") as last argument
+            if (EntityUtilProperties.getPropertyAsBoolean("requestHandler", "strict-transport-security",
true)) {
                 resp.addHeader("strict-transport-security", "max-age=31536000; includeSubDomains");
             }
         }
         
         //The only x-vontent-type-options defined value, "nosniff", prevents Internet Explorer
from MIME-sniffing a response away from the declared content-type. 
         // This also applies to Google Chrome, when downloading extensions.
-        resp.addHeader("x-content-type-options", "nosniff"); 
+        resp.addHeader("x-content-type-options", "nosniff");
+        
+        String setCookie = resp.getHeader("set-cookie");
+        if (UtilValidate.isNotEmpty(setCookie)) {
+            setCookie = setCookie.toLowerCase();
+            if (!setCookie.contains("secure")) {
+            resp.setHeader("set-cookie", setCookie + "; secure;"); // Adds a ";" trail to
be sure to separate things
+            }
+            if (!setCookie.contains("httponly")) {
+                resp.setHeader("set-cookie", setCookie + "; httponly;"); // Adds a ";" trail
to be sure to separate things
+            }
+        }
 
         try {
             if (Debug.verboseOn()) Debug.logVerbose("Rendering view [" + nextPage + "] of
type [" + viewMap.type + "]", module);

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/stats/VisitHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/stats/VisitHandler.java?rev=1719762&r1=1719761&r2=1719762&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/stats/VisitHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/stats/VisitHandler.java Sun Dec 13 05:07:47
2015
@@ -271,6 +271,8 @@ public class VisitHandler {
                             Cookie visitorCookie = new Cookie(visitorCookieName, visitor.getString("visitorId"));
                             visitorCookie.setMaxAge(60 * 60 * 24 * 365);
                             visitorCookie.setPath("/");
+                            visitorCookie.setSecure(true);
+                            visitorCookie.setHttpOnly(true);
                             response.addCookie(visitorCookie);
                         }
                     }



Mime
View raw message