Index: jackrabbit-standalone/src/main/resources/WEB-INF/web.xml
===================================================================
--- jackrabbit-standalone/src/main/resources/WEB-INF/web.xml (revision 1151475)
+++ jackrabbit-standalone/src/main/resources/WEB-INF/web.xml (working copy)
@@ -44,7 +44,6 @@
The webdav servlet that connects HTTP request to the repository.
org.apache.jackrabbit.j2ee.SimpleWebdavServlet
-
resource-path-prefix
/repository
@@ -59,6 +58,22 @@
Defines various dav-resource configuration parameters.
+
+
3
@@ -133,6 +148,22 @@
Number of concurrent requests expected. Default value is 50.
-->
+
+
5
Index: jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
===================================================================
--- jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java (revision 1151475)
+++ jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java (working copy)
@@ -16,6 +16,7 @@
*/
package org.apache.jackrabbit.webdav.server;
+import org.apache.commons.httpclient.HttpStatus;
import org.apache.jackrabbit.webdav.DavCompliance;
import org.apache.jackrabbit.webdav.DavConstants;
import org.apache.jackrabbit.webdav.DavException;
@@ -86,6 +87,7 @@
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
+import java.net.URL;
import java.util.ArrayList;
import java.util.List;
@@ -169,7 +171,18 @@
*/
abstract public String getAuthenticateHeaderValue();
+
/**
+ * Disable referrer based CSRF protection
+ */
+ protected boolean disableCSRFProtection;
+
+ /**
+ * Additional allowed referrer hosts for CSRF protection
+ */
+ protected String[] allowedReferrerHosts;
+
+ /**
* Service the given request.
*
* @param request
@@ -192,6 +205,33 @@
return;
}
+ // perform referrer host checks if CSRF protection is enabled
+ if (!disableCSRFProtection) {
+ boolean refCheckPassed = true;
+ String refHeader = request.getHeader("Referer");
+ // empty referrer is always allowed
+ if (refHeader != null) {
+ URL referrer = new URL(refHeader);
+ // referrer.host == server.host is always allowed
+ if (!referrer.getHost().equals(request.getServerName())) {
+ // check against all explicitly allowed host names
+ refCheckPassed = false;
+ if (allowedReferrerHosts != null) {
+ for (int i=0; i
+
+
4
@@ -321,7 +337,22 @@
50
Number of concurrent requests expected. Default value is 50.
- 5
+
+ 5
Index: jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/webdav/simple/SimpleWebdavServlet.java
===================================================================
--- jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/webdav/simple/SimpleWebdavServlet.java (revision 1151475)
+++ jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/webdav/simple/SimpleWebdavServlet.java (working copy)
@@ -93,6 +93,15 @@
public static final String INIT_PARAM_MIME_INFO = "mime-info";
/**
+ * Name of the parameter that specifies the configuration of the CSRF protection.
+ * May contain a comma-separated list of allowed referrer hosts.
+ * If the parameter is omitted or left empty the behaviour is to only allow requests which have an empty referrer
+ * or a referrer host equal to the server host.
+ * If the parameter is set to 'disabled' no referrer checks will be performed at all.
+ */
+ public static final String INIT_PARAM_CSRF_PROTECTION = "csrf-protection";
+
+ /**
* Servlet context attribute used to store the path prefix instead of
* having a static field with this servlet. The latter causes problems
* when running multiple
@@ -177,6 +186,20 @@
log.debug("Unable to build resource filter provider", e);
}
}
+
+ // read csrf protection params
+ String csrfParam = getInitParameter(INIT_PARAM_CSRF_PROTECTION);
+ if (csrfParam != null) {
+ csrfParam = csrfParam.trim();
+ if ("disabled".equalsIgnoreCase(csrfParam)) {
+ disableCSRFProtection = true;
+ } else {
+ allowedReferrerHosts = csrfParam.split(",");
+ for (int i=0; i