[CONTINUUM-2622] Add CSRF prevention checks for sensitive actions - ASF JIRA

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.3.7, 1.4.0 (Beta)
Fix Version/s: 1.3.8
Component/s: Security
Labels:
None

Issue Links

supercedes

CONTINUUM-838 Cross Site Request Forgery protection

Closed

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Maria Odea Ching added a comment - 11/Apr/11 10:21

Added the following changes in -r1091098:

CSRF checks for delete actions and some save actions
added selenium tests for CSRF

Show

Maria Odea Ching added a comment - 11/Apr/11 10:21 Added the following changes in -r1091098 : CSRF checks for delete actions and some save actions added selenium tests for CSRF

Hide

Permalink

Maria Odea Ching added a comment - 12/Apr/11 21:37

Re-opening issue.. delete project group from project group summary is failing. It's always returning "Invalid token found in request" even though the token was passed.

Show

Maria Odea Ching added a comment - 12/Apr/11 21:37 Re-opening issue.. delete project group from project group summary is failing. It's always returning "Invalid token found in request" even though the token was passed.

Hide

Permalink

Maria Odea Ching added a comment - 15/Apr/11 05:06

Fixed in 1.3.x branch -r1092648 with the following changes:

do an explicit check for a random generated value in the action on remove project group (built-in token session interceptor doesn't work for projectGroupSummary page because the <s:action> tag (which executes result) for getting the projects in the group in the page causes a double submit
enabled selenium test for remove project group csrf check

Show

Maria Odea Ching added a comment - 15/Apr/11 05:06 Fixed in 1.3.x branch -r1092648 with the following changes: do an explicit check for a random generated value in the action on remove project group (built-in token session interceptor doesn't work for projectGroupSummary page because the <s:action> tag (which executes result) for getting the projects in the group in the page causes a double submit enabled selenium test for remove project group csrf check

Hide

Permalink

Maria Odea Ching added a comment - 15/Apr/11 06:40

Merged to trunk in -r1092666.

Show

Maria Odea Ching added a comment - 15/Apr/11 06:40 Merged to trunk in -r1092666.

Hide

Permalink

Maria Odea Ching added a comment - 03/May/11 06:45

Additional changes committed in branch -r1099015 and merged in trunk -r1099019:

revert changes made in -r1092648 in csrf check for remove project group
check only on actual delete, do not check on confirm delete – separated remove project group and confirm remove project group into separate actions

Show

Maria Odea Ching added a comment - 03/May/11 06:45 Additional changes committed in branch -r1099015 and merged in trunk -r1099019 : revert changes made in -r1092648 in csrf check for remove project group check only on actual delete, do not check on confirm delete – separated remove project group and confirm remove project group into separate actions

People

Assignee:

Maria Odea Ching

Reporter:

Maria Odea Ching

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

11/Apr/11 10:10

Updated:

21/Nov/12 17:44

Resolved:

15/Apr/11 05:06

Development

Agile

View on Board