On 14/12/2015 20:49, Baron Fujimoto wrote: > On Fri, Dec 11, 2015 at 05:02:43PM -1000, Baron Fujimoto wrote: >> On Sat, Dec 12, 2015 at 12:16:01AM +0000, Mark Thomas wrote:
<snip/> >> I've confirmed that the problem begins with 8.0.29. Looking through the changelog it is hard to see how any of the changes not in the Catalina section could trigger this. So, focussing on that section... >>> If you can find out how the CSRF protection is adding the token then >>> that will also help since it gives an idea of what to look for in the >>> changelog. >> >> I believe it's done using the OWASP CSRFGuard Project, and I have the >> property files generated by the Grouper devs that define its >> configuration. I'll query the Grouper folks to confirm and see if they >> can provide a relevant and succinct explanation about this in particular. > > The Grouper devs explain, "Javascript sets an HTTP header called > OWASP_CSRFTOKEN: on requests (some excluded per properties file)". That doesn't explain how/where the token is generated or what component validates it server side. I'm guessing a Filter does the validation. > Per the properties file, I believe the following are excluded: > > org.owasp.csrfguard.unprotected.Default=%servletContext%/ Hmm. This first one combined with the last entry in the Catalina section of the 8.0.29 changelog look like a possibility. Try each of the following (one at a time, not together) to see if they fix it: a) Add the following (note the lack of trailing slash) to the properties file: org.owasp.csrfguard.unprotected.Upload=%servletContext% b) Set mapperContextRootRedirectEnabled="true" and mapperDirectoryRedirectEnabled="true" on the Context in $CATALINA_BASE/conf/context.xml Mark > org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html > org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet > org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html > org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html > org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html > org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript.html > org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp > org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp > org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp > org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp > > CSRFGuard defines the following actions for a detected attack: > > org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log > org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery > (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, > uri:%request_uri%, error:%exception_message%) > org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect > org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html > org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate > > Other misc CSRFGuard confs: > > org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN > org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN > org.owasp.csrfguard.TokenLength=32 > org.owasp.csrfguard.PRNG=SHA1PRNG > org.owasp.csrfguard.PRNG.Provider=SUN > > org.owasp.csrfguard.JavascriptServlet.domainStrict = true > org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800 > org.owasp.csrfguard.JavascriptServlet.refererPattern = .* > org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true > org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true > org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true > > Here is an example of a resulting URL/token that results in the error. > > <https://foo.example.edu/grouper/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=csrf&OWASP_CSRFTOKEN=0JO3-QLCE-98Q4-35G2-6ADK-A352-3NNJ-4H5O> > > Aloha, > -baron > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
