Permalink
Show file tree
Hide file tree
16 changes: 16 additions & 0 deletions
16
src/Umbraco.Web.UI/umbraco_client/Application/Extensions.js
45 changes: 30 additions & 15 deletions
45
src/Umbraco.Web/WebApi/Filters/AngularAntiForgeryHelper.cs
2 changes: 2 additions & 0 deletions
2
src/Umbraco.Web/WebServices/ExamineManagementApiController.cs
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fixes U4-7459 XSRF protection bypass - ensures tokens are checked for…
… the non-editor api controllers
- Loading branch information
Showing
9 changed files
with
116 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
61 changes: 61 additions & 0 deletions
61
src/Umbraco.Web/Mvc/ValidateMvcAngularAntiForgeryTokenAttribute.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| using System.Collections.Generic; | ||
| using System.Linq; | ||
| using System.Net; | ||
| using System.Security.Claims; | ||
| using System.Web.Mvc; | ||
| using Umbraco.Web.WebApi.Filters; | ||
|
|
||
| namespace Umbraco.Web.Mvc | ||
| { | ||
| /// <summary> | ||
| /// A filter to check for the csrf token based on Angular's standard approach | ||
| /// </summary> | ||
| /// <remarks> | ||
| /// Code derived from http://ericpanorel.net/2013/07/28/spa-authentication-and-csrf-mvc4-antiforgery-implementation/ | ||
| /// | ||
| /// If the authentication type is cookie based, then this filter will execute, otherwise it will be disabled | ||
| /// </remarks> | ||
| public sealed class ValidateMvcAngularAntiForgeryTokenAttribute : ActionFilterAttribute | ||
| { | ||
| public override void OnActionExecuting(ActionExecutingContext filterContext) | ||
| { | ||
| var userIdentity = filterContext.HttpContext.User.Identity as ClaimsIdentity; | ||
| if (userIdentity != null) | ||
| { | ||
| //if there is not CookiePath claim, then exist | ||
| if (userIdentity.HasClaim(x => x.Type == ClaimTypes.CookiePath) == false) | ||
| { | ||
| base.OnActionExecuting(filterContext); | ||
| return; | ||
| } | ||
| } | ||
|
|
||
| string failedReason; | ||
| var headers = new List<KeyValuePair<string, List<string>>>(); | ||
| foreach (var key in filterContext.HttpContext.Request.Headers.AllKeys) | ||
| { | ||
| if (headers.Any(x => x.Key == key)) | ||
| { | ||
| var found = headers.First(x => x.Key == key); | ||
| found.Value.Add(filterContext.HttpContext.Request.Headers[key]); | ||
| } | ||
| else | ||
| { | ||
| headers.Add(new KeyValuePair<string, List<string>>(key, new List<string> { filterContext.HttpContext.Request.Headers[key] })); | ||
| } | ||
| } | ||
| var cookie = filterContext.HttpContext.Request.Cookies[AngularAntiForgeryHelper.CsrfValidationCookieName]; | ||
| if (AngularAntiForgeryHelper.ValidateHeaders( | ||
| headers.Select(x => new KeyValuePair<string, IEnumerable<string>>(x.Key, x.Value)).ToArray(), | ||
| cookie == null ? "" : cookie.Value, | ||
| out failedReason) == false) | ||
| { | ||
| var result = new HttpStatusCodeResult(HttpStatusCode.ExpectationFailed); | ||
| filterContext.Result = result; | ||
| return; | ||
| } | ||
|
|
||
| base.OnActionExecuting(filterContext); | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters