Skip to content

Commit

Permalink
Merge pull request #1456 from guusdk/OF-1251_CSRF-XXE-XSS_4_4
Browse files Browse the repository at this point in the history
OF-1251: Harden admin console for XSS and CSRF (4.4 branch)
  • Loading branch information
akrherz committed Aug 20, 2019
2 parents 55eb6cb + e7d3ae7 commit fe5d9a9
Show file tree
Hide file tree
Showing 36 changed files with 1,698 additions and 1,586 deletions.
4 changes: 4 additions & 0 deletions i18n/src/main/resources/openfire_i18n.properties
Original file line number Diff line number Diff line change
Expand Up @@ -2005,6 +2005,7 @@ setup.env.check.jdk=At least JRE 1.8
setup.env.check.servlet=Servlet 2.3 Support
setup.env.check.jsp=JSP 1.2 Support
setup.env.check.class=Classes
setup.env.check.jive=Openfire Home found
setup.env.check.not_home=Home not found. Define system property "openfireHome" or create and add the openfire_init.xml file to the classpath
setup.env.check.doc=Please read the installation documentation and try setting up your environment again. After making changes, restart your appserver and load this page again.

Expand Down Expand Up @@ -2109,7 +2110,10 @@ setup.datasource.standard.min=Minimum:
setup.datasource.standard.max=Maximum:
setup.datasource.standard.pool=The minimum and maximum number of database connections the \
connection pool should maintain.
setup.datasource.standard.min_connections=Minimum Connections:
setup.datasource.standard.max_connections=Maximum Connections:
setup.datasource.standard.timeout=Connection Timeout:
setup.datasource.standard.timeout.days=Days
setup.datasource.standard.timeout_info=The time (in days) before connections in the connection \
pool are recycled.
setup.datasource.standard.note=Note, it might take between 30-60 seconds to connect to your database.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@

package org.jivesoftware.database;

import java.io.File;
import java.io.Reader;
import java.io.StringReader;
import java.io.StringWriter;
Expand All @@ -27,6 +28,7 @@
import java.sql.Statement;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Map;
import java.util.MissingResourceException;

import org.jivesoftware.util.ClassUtils;
Expand Down Expand Up @@ -109,6 +111,45 @@ private static void ensureConnectionProvider() {
}
}

/**
* Attempts to create a connection to the database and execute a query.
*
* @param errors A map populated with errors if they occur.
* @return true if the test was successful, otherwise false.
*/
public static boolean testConnection( Map<String,String> errors ) {
boolean success = true;
try ( final Connection con = DbConnectionManager.getConnection() )
{
// See if the Jive db schema is installed.
try
{
Statement stmt = con.createStatement();
// Pick an arbitrary table to see if it's there.
stmt.executeQuery( "SELECT * FROM ofID" );
stmt.close();
}
catch ( SQLException sqle )
{
success = false;
Log.error( "The Openfire database schema does not appear to be installed.", sqle );
errors.put( "general", "The Openfire database schema does not "
+ "appear to be installed. Follow the installation guide to "
+ "fix this error." );
}
}
catch ( SQLException exception )
{
success = false;
Log.error( "Unable to connect to the database.", exception );
errors.put( "general", "A connection to the database could not be "
+ "made. View the error message by opening the "
+ "\"" + File.separator + "logs" + File.separator + "error.log\" log "
+ "file, then go back to fix the problem." );
}
return success;
}

/**
* Returns a database connection from the currently active connection
* provider. An exception will be thrown if no connection was found.
Expand Down
5 changes: 5 additions & 0 deletions xmppserver/src/main/resources/META-INF/admin.tld
Original file line number Diff line number Diff line change
Expand Up @@ -221,5 +221,10 @@
<function-class>org.jivesoftware.util.JiveGlobals</function-class>
<function-signature>java.lang.String formatTime(java.util.Date)</function-signature>
</function>
<function>
<name>chopAtWord</name>
<function-class>org.jivesoftware.util.StringUtils</function-class>
<function-signature>java.lang.String chopAtWord(java.lang.String,int)</function-signature>
</function>

</taglib>
5 changes: 5 additions & 0 deletions xmppserver/src/main/webapp/META-INF/admin.tld
Original file line number Diff line number Diff line change
Expand Up @@ -229,5 +229,10 @@
<function-class>org.jivesoftware.util.JiveGlobals</function-class>
<function-signature>java.lang.String formatTime(java.util.Date)</function-signature>
</function>
<function>
<name>chopAtWord</name>
<function-class>org.jivesoftware.util.StringUtils</function-class>
<function-signature>java.lang.String chopAtWord(java.lang.String,int)</function-signature>
</function>

</taglib>
5 changes: 5 additions & 0 deletions xmppserver/src/main/webapp/WEB-INF/admin.tld
Original file line number Diff line number Diff line change
Expand Up @@ -229,5 +229,10 @@
<function-class>org.jivesoftware.util.JiveGlobals</function-class>
<function-signature>java.lang.String formatTime(java.util.Date)</function-signature>
</function>
<function>
<name>chopAtWord</name>
<function-class>org.jivesoftware.util.StringUtils</function-class>
<function-signature>java.lang.String chopAtWord(java.lang.String,int)</function-signature>
</function>

</taglib>
8 changes: 7 additions & 1 deletion xmppserver/src/main/webapp/ldap-group.jsp
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,14 @@
String currentPage = "ldap-group.jsp";
String testPage = "setup/setup-ldap-group_test.jsp";
String nextPage = "profile-settings.jsp";
Map<String, String> meta = new HashMap<String, String>();
Map<String, String> meta = new HashMap<>();
meta.put("pageID", "profile-settings");
pageContext.setAttribute( "initialSetup", initialSetup );
pageContext.setAttribute( "currentPage", currentPage );
pageContext.setAttribute( "testPage", testPage );
pageContext.setAttribute( "nextPage", nextPage );
pageContext.setAttribute( "meta", meta );
%>

<style type="text/css" title="setupStyle" media="screen">
Expand Down
7 changes: 7 additions & 0 deletions xmppserver/src/main/webapp/ldap-server.jsp
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,13 @@
String nextPage = "ldap-user.jsp";
Map<String, String> meta = new HashMap<String, String>();
meta.put("pageID", "profile-settings");
pageContext.setAttribute( "serverType", serverType );
pageContext.setAttribute( "initialSetup", initialSetup );
pageContext.setAttribute( "currentPage", currentPage );
pageContext.setAttribute( "testPage", testPage );
pageContext.setAttribute( "nextPage", nextPage );
pageContext.setAttribute( "meta", meta );
%>

<style type="text/css" title="setupStyle" media="screen">
Expand Down
8 changes: 7 additions & 1 deletion xmppserver/src/main/webapp/ldap-user.jsp
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,14 @@
String currentPage = "ldap-user.jsp";
String testPage = "setup/setup-ldap-user_test.jsp";
String nextPage = "ldap-group.jsp";
Map<String, String> meta = new HashMap<String, String>();
Map<String, String> meta = new HashMap<>();
meta.put("pageID", "profile-settings");
pageContext.setAttribute( "initialSetup", initialSetup );
pageContext.setAttribute( "currentPage", currentPage );
pageContext.setAttribute( "testPage", testPage );
pageContext.setAttribute( "nextPage", nextPage );
pageContext.setAttribute( "meta", meta );
%>

<style type="text/css" title="setupStyle" media="screen">
Expand Down
73 changes: 25 additions & 48 deletions xmppserver/src/main/webapp/pubsub-form-table.jsp
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ detailPreFix - property prefix for additional detail to be displayed against the
function detect_enter_keyboard(event) {
var key_board_keycode = event.which || event.keyCode;
if (key_board_keycode == 13) {
if (key_board_keycode === 13) {
event.preventDefault();
var target = event.target || event.srcElement;
var buttonId = target.id.split('-')[0] + '-Add';
Expand Down Expand Up @@ -57,82 +57,59 @@ detailPreFix - property prefix for additional detail to be displayed against the
<table cellpadding="3" cellspacing="0" border="0" width="1%">
<tbody>
<c:forEach var="field" items="${requestScope.fields}">
<c:if
test="${not requestScope.nonDisplayFields.contains(field.variable)}">
<c:if test="${not requestScope.nonDisplayFields.contains(field.variable)}">
<tr>
<td nowrap style="min-width: 300px"><label
style="font-weight: bold" for="${field.variable}">${field.label}</label></td>
<c:set var="isList"
value="${field.type.name() eq 'list_multi' or field.type.name() eq 'jid_multi'}" />
<c:set var="isList" value="${field.type.name() eq 'list_multi' or field.type.name() eq 'jid_multi'}" />
<c:set var="fieldId" value="${fn:escapeXml(field.variable)}"/>
<td nowrap style="min-width: 300px"><label style="font-weight: bold" for="${fieldId}"><c:out value="${field.label}"/></label></td>
<c:choose>
<c:when test="${field.type.name() eq 'boolean_type'}">
<td width="1%" rowspan="2"><input type="checkbox"
name="${field.variable}" id="${field.variable}"
${field.firstValue == 1 ? 'checked="checked"' : '' } /></td>
<td width="1%" rowspan="2"><input type="checkbox" name="${fieldId}" id="${fieldId}" ${field.firstValue == 1 ? 'checked="checked"' : '' } /></td>
</c:when>
<c:when test="${field.type.name() eq 'text_single'}">
<td width="1%" rowspan="2"><input type="text"
name="${field.variable}" id="${field.variable}"
value="${field.firstValue}" style="width: 200px;" /></td>
<td width="1%" rowspan="2"><input type="text" name="${fieldId}" id="${fieldId}" value="${fn:escapeXml(field.firstValue)}" style="width: 200px;" /></td>
</c:when>
<c:when test="${field.type.name() eq 'list_single'}">
<td width="1%" rowspan="2"><select name="${field.variable}"
id="${field.variable}" style="width: 200px;">
<td width="1%" rowspan="2"><select name="${fieldId}" id="${fieldId}" style="width: 200px;">
<c:forEach var="option" items="${field.options}">
<option value="${option.value}"
${option.value == field.firstValue ? 'selected' : '' }>
${option.label ? option.label : option.value }
<option value="${fn:escapeXml(option.value)}" ${option.value == field.firstValue ? 'selected' : '' }>
<c:out value="${option.label ? option.label : option.value}"/>
</option>
</c:forEach>
</select></td>
</c:when>
<c:when test="${isList and not empty field.options}">
<td width="1%" rowspan="2"><select name="${field.variable}"
id="${field.variable}" style="width: 200px;" multiple>
<td width="1%" rowspan="2"><select name="${fieldId}" id="${fieldId}" style="width: 200px;" multiple>
<c:forEach var="option" items="${field.options}">
<option value="${option.value}"
${ field.values.contains(option.value) ? 'selected' : '' }>
${option.label ? option.label : option.value }
<option value="${fn:escapeXml(option.value)}" ${ field.values.contains(option.value) ? 'selected' : '' }>
<c:out value="${option.label ? option.label : option.value }"/>
</option>
</c:forEach>
</select>
<button type="button"
onclick="clearSelected('${field.variable}')">
<button type="button" onclick="clearSelected('${fieldId}')">
<fmt:message key="pubsub.form.clearSelection" />
</button></td>
</c:when>
<c:when test="${isList and empty field.options}">
<td rowspan="2">
<div class="jive-table">
<table id="${field.variable}" cellpadding="0" cellspacing="0"
border="0" width="100%">
<table id="${fieldId}" cellpadding="0" cellspacing="0" border="0" width="100%">
<thead>
<tr>
<th scope="col"><fmt:message
key="pubsub.form.${listTypes[field.variable]}" /></th>
<th scope="col"><fmt:message key="pubsub.form.${listTypes[field.variable]}" /></th>
<th scope="col"><fmt:message key="pubsub.form.action" /></th>
</tr>
</thead>
<tbody>
<c:forEach var="value" items="${field.values}"
varStatus="loop">
<tr id="${field.variable}${loop.index}">
<td><input type="hidden" name="${field.variable}"
value="${value}" />${value}</td>
<td>
<button type="button"
onclick="deleteTableRow('${field.variable}${loop.index}')">Remove</button>
</td>
<c:forEach var="value" items="${field.values}" varStatus="loop">
<tr id="${fieldId}${loop.index}">
<td><input type="hidden" name="${fieldId}" value="${fn:escapeXml(value)}" /><c:out value="${value}"/></td>
<td><button type="button" onclick="deleteTableRow('${fieldId}${loop.index}')">Remove</button></td>
</tr>
</c:forEach>
<tr>
<td><input type="text" style="width: 200px;"
id="${field.variable}-Additional"
name="${field.variable}-Additional"
onkeypress="detect_enter_keyboard(event)" /></td>
<td><input type="submit" id="${field.variable}-Add"
name="${field.variable}-Add"
value="<fmt:message key="global.add" />"></td>
<td><input type="text" style="width: 200px;" id="${fieldId}-Additional" name="${fieldId}-Additional" onkeypress="detect_enter_keyboard(event)" /></td>
<td><input type="submit" id="${fieldId}-Add" name="${fieldId}-Add" value="<fmt:message key="global.add" />"></td>
</tr>
</tbody>
</table>
Expand All @@ -142,11 +119,11 @@ detailPreFix - property prefix for additional detail to be displayed against the
</c:choose>
</tr>
<tr>
<td><fmt:message var="detail"
key="${param.detailPreFix}.${fn:substringAfter(field.variable, '#')}" />
<td><fmt:message var="detail" key="${param.detailPreFix}.${fn:substringAfter(field.variable, '#')}" />
<c:if test="${not fn:startsWith(detail, '???')}">
<c:out value="${detail}" />
</c:if></td>
</c:if>
</td>
</tr>
</c:if>
</c:forEach>
Expand Down
Loading

0 comments on commit fe5d9a9

Please sign in to comment.