search

javaee / mojarra

PLEASE NOTE: This project has moved to Eclipse Foundation and will be archived under the JavaEE GitHub Organization. After Feb. 1, 2021, the new location will be github.com/javaee/mojarra. Mojarra - Oracle's implementation of the JavaServer Faces specification
https://github.com/eclipse-ee4j/mojarra
Other
164 stars 58 forks source link

CSRF Protected views tag fails when ports are default 80/443 #3517

Closed javaserverfaces closed 9 years ago

javaserverfaces commented 9 years ago

The CSRF checks prevents the request when referrer URL has default ports (80/443).

When Webserver is integrated with Appserver , the referrer header values may also be with default ports e.g referer=http:///pages/home.xhtml

The current check for Ports ignores default ports and throws exception as if the request is forged . ref : src/main/java/com/sun/faces/lifecycle/RestoreViewPhase.java

Precondition: Configure the urls with tags.

Affected Versions

[2.2.6, 2.2.7, 2.2.8]

javaserverfaces commented 9 years ago

Reported by KrishnanGNV

javaserverfaces commented 9 years ago

@manfredriem said: Can you please send a reproducer (with sources) to issues@javaserverfaces.java.net? Thanks!

javaserverfaces commented 9 years ago

krishnangnv said: Below are the Source code in JSF implementation failing :

Pre Conditions: Step 1: Integrate a webserver with App server say Apache with JBoss and Apache listening in Port 80/443. Step 2: Configure a URL pattern in Protected Views tag in faces-config.xml Step 3: Referrer tag set in the request is of the pattern https:///pages/home.xhtml . Please note there is no Port in the above URL set by browsers.

Issues in com.sun.faces.lifecycle.RestoreViewPhase method maybeTakeProtectedViewAction(... ) implementation

The above URL https:///pages/home.xhtml matches as absolute URI as per below code

private boolean originatesInWebapp(FacesContext context, String view, ViewDeclarationLanguage vdl) throws URISyntaxException

{ boolean isAbsoluteURI = view.matches("^[a-z]+://.*"); }

and subsequently the Port has been tried to match in the below code :

if (-1 == uri.getPort())

{ portsMatch = false; }

Either RegularExpression has to include presence of port or when uri.getPort returns -1 , Check need to be done whether JSF environment listens to Default port like 80/443.

Hope this provides a background to debug and fix the issue.

javaserverfaces commented 9 years ago

@manfredriem said: Can you please send a reproducer (a maven project with sources) to issues@javaserverfaces.java.net. I realize you can't give me the Apache part, but I would really like the web application, so I know for sure we are talking about the same thing. Thanks!

javaserverfaces commented 9 years ago

@manfredriem said: Lowering priority because of no response

javaserverfaces commented 9 years ago

@manfredriem said: Closing out because of no response

javaserverfaces commented 7 years ago

This issue was imported from java.net JIRA JAVASERVERFACES-3513

javaserverfaces commented 9 years ago

Marked as incomplete on Monday, February 23rd 2015, 6:49:10 am