Skip to content
This repository has been archived by the owner on Jan 23, 2019. It is now read-only.

Commit

Permalink
CSRF protection.
Browse files Browse the repository at this point in the history
  • Loading branch information
@kreinhard
kreinhard committed Dec 5, 2013
1 parent a9a5fd6 commit 422de35
Show file tree
Hide file tree
Showing 20 changed files with 165 additions and 20 deletions.
15 changes: 15 additions & 0 deletions src/main/java/org/projectforge/web/admin/SetupForm.java
View file
Expand Up @@ -40,6 +40,7 @@
import org.projectforge.database.InitDatabaseDao;
import org.projectforge.user.UserDao;
import org.projectforge.web.wicket.AbstractForm;
import org.projectforge.web.wicket.CsrfTokenHandler;
import org.projectforge.web.wicket.WicketUtils;
import org.projectforge.web.wicket.bootstrap.GridBuilder;
import org.projectforge.web.wicket.components.MaxLengthTextField;
Expand Down Expand Up @@ -86,9 +87,15 @@ public class SetupForm extends AbstractForm<SetupForm, SetupPage>

private String encryptedPassword;

/**
* Cross site request forgery token.
*/
private final CsrfTokenHandler csrfTokenHandler;

public SetupForm(final SetupPage parentPage)
{
super(parentPage, "setupform");
csrfTokenHandler = new CsrfTokenHandler(this);
}

@Override
Expand Down Expand Up @@ -227,6 +234,7 @@ public void validate(final IValidatable<String> validatable)
@Override
public final void onSubmit()
{
csrfTokenHandler.onSubmit();
parentPage.finishSetup();
}
};
Expand All @@ -237,6 +245,13 @@ public final void onSubmit()
}
}

@Override
protected void onSubmit()
{
super.onSubmit();
csrfTokenHandler.onSubmit();
}

public SetupTarget getSetupMode()
{
return setupMode;
Expand Down
14 changes: 14 additions & 0 deletions src/main/java/org/projectforge/web/admin/SetupImportForm.java
View file
Expand Up @@ -29,6 +29,7 @@
import org.apache.wicket.model.Model;
import org.apache.wicket.util.lang.Bytes;
import org.projectforge.web.wicket.AbstractForm;
import org.projectforge.web.wicket.CsrfTokenHandler;
import org.projectforge.web.wicket.bootstrap.GridBuilder;
import org.projectforge.web.wicket.components.SingleButtonPanel;
import org.projectforge.web.wicket.flowlayout.FieldsetPanel;
Expand All @@ -42,10 +43,23 @@ public class SetupImportForm extends AbstractForm<SetupImportForm, SetupPage>

protected String filename;

/**
* Cross site request forgery token.
*/
private final CsrfTokenHandler csrfTokenHandler;

public SetupImportForm(final SetupPage parentPage)
{
super(parentPage, "importform");
initUpload(Bytes.megabytes(100));
csrfTokenHandler = new CsrfTokenHandler(this);
}

@Override
protected void onSubmit()
{
super.onSubmit();
csrfTokenHandler.onSubmit();
}

@Override
Expand Down
2 changes: 2 additions & 0 deletions src/main/java/org/projectforge/web/admin/SetupPage.html
View file
Expand Up @@ -21,6 +21,7 @@
<div class="button_bar">
<wicket:container wicket:id="buttons">[action buttons]</wicket:container>
</div>
<input type="hidden" wicket:id="csrfToken" />
</form>
</div>
</div>
Expand All @@ -32,6 +33,7 @@
<div class="button_bar">
<wicket:container wicket:id="buttons">[action buttons]</wicket:container>
</div>
<input type="hidden" wicket:id="csrfToken" />
</form>
</div>
</div>
Expand Down
14 changes: 14 additions & 0 deletions src/main/java/org/projectforge/web/admin/SystemUpdateForm.java
View file
Expand Up @@ -38,6 +38,7 @@
import org.projectforge.continuousdb.UpdatePreCheckStatus;
import org.projectforge.web.HtmlHelper;
import org.projectforge.web.wicket.AbstractForm;
import org.projectforge.web.wicket.CsrfTokenHandler;
import org.projectforge.web.wicket.bootstrap.GridBuilder;
import org.projectforge.web.wicket.components.SingleButtonPanel;
import org.projectforge.web.wicket.flowlayout.CheckBoxPanel;
Expand All @@ -54,6 +55,11 @@ public class SystemUpdateForm extends AbstractForm<SystemUpdateForm, SystemUpdat

private GridBuilder gridBuilder;

/**
* Cross site request forgery token.
*/
private final CsrfTokenHandler csrfTokenHandler;

/**
* List to create content menu in the desired order before creating the RepeatingView.
*/
Expand All @@ -62,6 +68,7 @@ public class SystemUpdateForm extends AbstractForm<SystemUpdateForm, SystemUpdat
public SystemUpdateForm(final SystemUpdatePage parentPage)
{
super(parentPage);
csrfTokenHandler = new CsrfTokenHandler(this);
}

@Override
Expand Down Expand Up @@ -165,4 +172,11 @@ public void onBeforeRender()
super.onBeforeRender();
actionButtons.render();
}

@Override
protected void onSubmit()
{
super.onSubmit();
csrfTokenHandler.onSubmit();
}
}
1 change: 1 addition & 0 deletions src/main/java/org/projectforge/web/admin/SystemUpdatePage.html
View file
Expand Up @@ -47,6 +47,7 @@ <h3 class="section">Update scripts</h3>
<div class="button_bar">
<wicket:container wicket:id="buttons">[action buttons]</wicket:container>
</div>
<input type="hidden" wicket:id="csrfToken" />
</form>
</wicket:extend>
</body>
Expand Down
1 change: 1 addition & 0 deletions src/main/java/org/projectforge/web/core/NavTopPanel.html
View file
Expand Up @@ -39,6 +39,7 @@
</div>
<form class="navbar-search pull-left" wicket:id="searchForm" autocomplete="off">
<input type="text" class="search-query span2" placeholder="Search" wicket:id="searchField">
<input type="hidden" wicket:id="csrfToken" />
</form>
<ul class="nav pull-right">
<li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown"><span wicket:id="user">[Kai Reinhard]</span><b
Expand Down
8 changes: 8 additions & 0 deletions src/main/java/org/projectforge/web/core/NavTopPanel.java
View file
Expand Up @@ -59,6 +59,7 @@
import org.projectforge.web.user.ChangePasswordPage;
import org.projectforge.web.user.MyAccountEditPage;
import org.projectforge.web.wicket.AbstractSecuredPage;
import org.projectforge.web.wicket.CsrfTokenHandler;
import org.projectforge.web.wicket.FeedbackPage;
import org.projectforge.web.wicket.MySession;
import org.projectforge.web.wicket.WicketUtils;
Expand All @@ -82,6 +83,11 @@ public class NavTopPanel extends NavAbstractPanel

private BookmarkDialog bookmarkDialog;

/**
* Cross site request forgery token.
*/
private CsrfTokenHandler csrfTokenHandler;

public NavTopPanel(final String id, final UserXmlPreferencesCache userXmlPreferencesCache, final AccessChecker accessChecker)
{
super(id);
Expand Down Expand Up @@ -117,13 +123,15 @@ public void init(final AbstractSecuredPage page)
@Override
protected void onSubmit()
{
csrfTokenHandler.onSubmit();
if (StringUtils.isNotBlank(searchString) == true) {
final SearchPage searchPage = new SearchPage(new PageParameters(), searchString);
setResponsePage(searchPage);
}
super.onSubmit();
}
};
csrfTokenHandler = new CsrfTokenHandler(searchForm);
add(searchForm);
final TextField<String> searchField = new TextField<String>("searchField", new PropertyModel<String>(searchForm, "searchString"));
WicketUtils.setPlaceHolderAttribute(searchField, getString("search.search"));
Expand Down
5 changes: 4 additions & 1 deletion src/main/java/org/projectforge/web/dialog/ModalDialog.html
View file
Expand Up @@ -3,7 +3,9 @@
<wicket:container wicket:id="mainSubContainer">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>
<h3 id="myModalLabel" wicket:id="titleContainer"><span wicket:id="titleText">[title]</span></h3>
<h3 id="myModalLabel" wicket:id="titleContainer">
<span wicket:id="titleText">[title]</span>
</h3>
</div>
<form wicket:id="form" autocomplete="off">
<div class="modal-body" wicket:id="gridContent">
Expand All @@ -13,6 +15,7 @@ <h3 id="myModalLabel" wicket:id="titleContainer"><span wicket:id="titleText">[ti
<div class="modal-footer" wicket:id="buttonBar">
<wicket:container wicket:id="actionButtons" />
</div>
<input type="hidden" wicket:id="csrfToken" />
</form>
</wicket:container>
</div>
Expand Down
15 changes: 15 additions & 0 deletions src/main/java/org/projectforge/web/dialog/ModalDialog.java
View file
Expand Up @@ -39,6 +39,7 @@
import org.apache.wicket.model.IModel;
import org.apache.wicket.model.Model;
import org.projectforge.web.core.NavTopPanel;
import org.projectforge.web.wicket.CsrfTokenHandler;
import org.projectforge.web.wicket.WicketUtils;
import org.projectforge.web.wicket.bootstrap.GridBuilder;
import org.projectforge.web.wicket.components.SingleButtonPanel;
Expand Down Expand Up @@ -97,6 +98,11 @@ public abstract class ModalDialog extends Panel
*/
protected MyComponentsRepeater<Component> actionButtons;

/**
* Cross site request forgery token.
*/
protected CsrfTokenHandler csrfTokenHandler;

/**
* @param id
*/
Expand Down Expand Up @@ -231,6 +237,7 @@ public ModalDialog wantsNotificationOnClose()
@Override
protected void onEvent(final AjaxRequestTarget target)
{
csrfTokenHandler.onSubmit();
handleCloseEvent(target);
}
});
Expand Down Expand Up @@ -288,6 +295,7 @@ public ModalDialog open(final AjaxRequestTarget target)

public void close(final AjaxRequestTarget target)
{
csrfTokenHandler.onSubmit();
target.appendJavaScript("$('#" + getMainContainerMarkupId() + "').modal('hide');");
}

Expand Down Expand Up @@ -366,6 +374,7 @@ public ModalDialog clearContent()
protected void init(final Form< ? > form)
{
this.form = form;
csrfTokenHandler = new CsrfTokenHandler(form);
mainSubContainer.add(form);
form.add(gridContentContainer);
form.add(buttonBarContainer);
Expand All @@ -374,6 +383,7 @@ protected void init(final Form< ? > form)
@Override
public void callback(final AjaxRequestTarget target)
{
csrfTokenHandler.onSubmit();
onCancelButtonSubmit(target);
close(target);
}
Expand All @@ -385,6 +395,7 @@ public void callback(final AjaxRequestTarget target)
@Override
public void callback(final AjaxRequestTarget target)
{
csrfTokenHandler.onSubmit();
if (onCloseButtonSubmit(target)) {
close(target);
}
Expand All @@ -393,6 +404,7 @@ public void callback(final AjaxRequestTarget target)
@Override
public void onError(final AjaxRequestTarget target, final Form< ? > form)
{
csrfTokenHandler.onSubmit();
ModalDialog.this.onError(target, form);
}
}, closeButtonLabel != null ? closeButtonLabel : getString("close"), SingleButtonPanel.NORMAL);
Expand All @@ -416,6 +428,7 @@ private void initFeedback(final WebMarkupContainer container)

protected void ajaxError(final String error, final AjaxRequestTarget target)
{
csrfTokenHandler.onSubmit();
form.error(error);
target.add(formFeedback);
}
Expand All @@ -427,6 +440,7 @@ protected void ajaxError(final String error, final AjaxRequestTarget target)
*/
protected void handleCloseEvent(final AjaxRequestTarget target)
{
csrfTokenHandler.onSubmit();
}

/**
Expand Down Expand Up @@ -505,6 +519,7 @@ private SingleButtonPanel addNewAjaxActionButton(final AjaxCallback ajaxCallback
@Override
protected void onSubmit(final AjaxRequestTarget target, final Form< ? > form)
{
csrfTokenHandler.onSubmit();
ajaxCallback.callback(target);
}

Expand Down
5 changes: 4 additions & 1 deletion src/main/java/org/projectforge/web/fibu/RechnungCostEditTablePanel.html
View file
Expand Up @@ -32,7 +32,10 @@
</tbody>
</table>
<div>
<wicket:message key="rest" />: <span wicket:id="restValue">[-1234,00]</span></div>
<wicket:message key="rest" />
: <span wicket:id="restValue">[-1234,00]</span>
</div>
<input type="hidden" wicket:id="csrfToken" />
</form>
</wicket:panel>
</body>
Expand Down
17 changes: 16 additions & 1 deletion src/main/java/org/projectforge/web/fibu/RechnungCostEditTablePanel.java
View file
Expand Up @@ -54,6 +54,7 @@
import org.projectforge.fibu.kost.Kost2Dao;
import org.projectforge.fibu.kost.KostZuweisungDO;
import org.projectforge.fibu.kost.KostZuweisungenCopyHelper;
import org.projectforge.web.wicket.CsrfTokenHandler;
import org.projectforge.web.wicket.WicketAjaxUtils;
import org.projectforge.web.wicket.WicketUtils;
import org.projectforge.web.wicket.components.MinMaxNumberField;
Expand Down Expand Up @@ -85,17 +86,31 @@ public class RechnungCostEditTablePanel extends Panel

MyAjaxComponentHolder ajaxComponents = new MyAjaxComponentHolder();

/**
* Cross site request forgery token.
*/
private final CsrfTokenHandler csrfTokenHandler;

/**
* @param id
*/
@SuppressWarnings("serial")
public RechnungCostEditTablePanel(final String id)
{
super(id);
feedbackPanel = new FeedbackPanel("feedback");
ajaxComponents.register(feedbackPanel);
add(feedbackPanel);
this.form = new Form<AbstractRechnungsPositionDO>("form");
this.form = new Form<AbstractRechnungsPositionDO>("form") {
@Override
protected void onSubmit()
{
super.onSubmit();
csrfTokenHandler.onSubmit();
}
};
add(form);
csrfTokenHandler = new CsrfTokenHandler(form);
rows = new RepeatingView("rows");
form.add(rows);
}
Expand Down
14 changes: 14 additions & 0 deletions src/main/java/org/projectforge/web/mobile/AbstractMobileEditForm.java
View file
Expand Up @@ -28,6 +28,7 @@
import org.apache.wicket.markup.html.panel.FeedbackPanel;
import org.apache.wicket.markup.repeater.RepeatingView;
import org.projectforge.core.AbstractBaseDO;
import org.projectforge.web.wicket.CsrfTokenHandler;
import org.projectforge.web.wicket.mobileflowlayout.MobileGridBuilder;

public abstract class AbstractMobileEditForm<O extends AbstractBaseDO< ? >, P extends AbstractMobileEditPage< ? , ? , ? >> extends
Expand All @@ -39,10 +40,23 @@ public abstract class AbstractMobileEditForm<O extends AbstractBaseDO< ? >, P ex

protected MobileGridBuilder gridBuilder;

/**
* Cross site request forgery token.
*/
private final CsrfTokenHandler csrfTokenHandler;

public AbstractMobileEditForm(final P parentPage, final O data)
{
super(parentPage);
this.data = data;
csrfTokenHandler = new CsrfTokenHandler(this);
}

@Override
protected void onSubmit()
{
super.onSubmit();
csrfTokenHandler.onSubmit();
}

public O getData()
Expand Down
1 change: 1 addition & 0 deletions src/main/java/org/projectforge/web/mobile/AbstractMobileEditPage.html
View file
Expand Up @@ -19,6 +19,7 @@
<p>
<a wicket:id="submitButton" rel="external" data-role="button"><wicket:container wicket:id="label">[create or update]</wicket:container></a>
</p>
<input type="hidden" wicket:id="csrfToken" />
</form>
</div>
</wicket:extend>
Expand Down

0 comments on commit 422de35

Please sign in to comment.