On Mon, Dec 14, 2015 at 09:12:20PM +0000, Mark Thomas wrote:
>On 14/12/2015 20:49, Baron Fujimoto wrote:
>> On Fri, Dec 11, 2015 at 05:02:43PM -1000, Baron Fujimoto wrote:
>>> On Sat, Dec 12, 2015 at 12:16:01AM +0000, Mark Thomas wrote:
>
><snip/>
>
>>> I've confirmed that the problem begins with 8.0.29.
>
>Looking through the changelog it is hard to see how any of the changes
>not in the Catalina section could trigger this. So, focussing on that
>section...
>
>>>> If you can find out how the CSRF protection is adding the token then
>>>> that will also help since it gives an idea of what to look for in the
>>>> changelog.
>>>
>>> I believe it's done using the OWASP CSRFGuard Project, and I have the
>>> property files generated by the Grouper devs that define its
>>> configuration. I'll query the Grouper folks to confirm and see if they
>>> can provide a relevant and succinct explanation about this in particular.
>>
>> The Grouper devs explain, "Javascript sets an HTTP header called
>> OWASP_CSRFTOKEN: on requests (some excluded per properties file)".
>
>That doesn't explain how/where the token is generated or what component
>validates it server side. I'm guessing a Filter does the validation.
>
>> Per the properties file, I believe the following are excluded:
>>
>> org.owasp.csrfguard.unprotected.Default=%servletContext%/
>
>Hmm. This first one combined with the last entry in the Catalina section
>of the 8.0.29 changelog look like a possibility.
>
>Try each of the following (one at a time, not together) to see if they
>fix it:
Neither of these, tried independently, appeared to have any effect.
>a) Add the following (note the lack of trailing slash) to the properties
>file:
>
>org.owasp.csrfguard.unprotected.Upload=%servletContext%
I tried this as described, but since I wasn't sure if you really meant the
.Default property I also tried that, just in case (separate tests,
performed independently). I tried both by adding the suggested definitions
after their original definitions (in case they superceded them) and by
replacing the original definitions.
>b) Set mapperContextRootRedirectEnabled="true" and
>mapperDirectoryRedirectEnabled="true" on the Context in
>$CATALINA_BASE/conf/context.xml
The resulting $CATALINA_BASE/conf/context.xml was:
<Context>
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
mapperContextRootRedirectEnabled="true"
mapperDirectoryRedirectEnabled="true"
</Context>
Aloha,
-baron
>> org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html
>> org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet
>> org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html
>> org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html
>> org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html
>> org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript.html
>> org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
>> org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp
>> org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp
>> org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp
>>
>> CSRFGuard defines the following actions for a detected attack:
>>
>> org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
>> org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery
>> (CSRF) attack thwarted (user:%user%, ip:%remote_ip%,
>> method:%request_method%, uri:%request_uri%, error:%exception_message%)
>> org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
>> org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html
>> org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
>>
>> Other misc CSRFGuard confs:
>>
>> org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
>> org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
>> org.owasp.csrfguard.TokenLength=32
>> org.owasp.csrfguard.PRNG=SHA1PRNG
>> org.owasp.csrfguard.PRNG.Provider=SUN
>>
>> org.owasp.csrfguard.JavascriptServlet.domainStrict = true
>> org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800
>> org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
>> org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
>> org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
>> org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
>>
>> Here is an example of a resulting URL/token that results in the error.
>>
>> <https://foo.example.edu/grouper/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=csrf&OWASP_CSRFTOKEN=0JO3-QLCE-98Q4-35G2-6ADK-A352-3NNJ-4H5O>
>>
>> Aloha,
>> -baron
--
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
