Skip to content

LUTECE-2184 : Add CSRF protection to portlet creation and modification #136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

LUTECE-2184 : Add CSRF protection to portlet creation and modification #136

wants to merge 2 commits into from

Conversation

rzara
Copy link
Member

@rzara rzara commented Dec 3, 2017

No description provided.

@jonenst
Copy link
Member

jonenst commented Feb 15, 2018

Not sure about this change of keeping the request in the init method for all admin features..

@rzara
Copy link
Member Author

rzara commented Feb 16, 2018

This necessary to avoid breaking the API and all existing portlets, while allowing existing portlets to benefit from the CSRF protection without having to opt in.
This is in a way similar to the LocalVariables mechanism available in FO.

@rzara
Copy link
Member Author

rzara commented Oct 24, 2018

@jonenst I'm not sure how to do that without breaking the API or without keeping the request accessible one way or another. Do you have an idea ? How do you suggest fixing the CSRF vulnerability which affects all portlets ?

@jonenst
Copy link
Member

jonenst commented Oct 24, 2018

Hi Rémi, thanks for the nudge on this one. We need to decide with @pierrelevy what to do.

@rzara
Copy link
Member Author

rzara commented Mar 15, 2019

ping @pierrelevy ?

@rzara
Copy link
Member Author

rzara commented Apr 16, 2019

Have another idea on how to do this. Will post an updated & rebased PR shortly

rzara added 2 commits April 17, 2019 11:32
@rzara
LUTECE-2184 : Add a CSRF token to portlet creation and modification
1c007aa 
The protection is in place if portlet JspBeans call setPortletCommonData.
@rzara
LUTECE-2184 : Move AliasPorletJspBean over to using setPortletCommonData
6796ddf 
This allows AliasPortlets creation and modification to be CSRF protected
@rzara
Copy link
Member Author

rzara commented Apr 17, 2019

Rather than recording the request object in the base class for admin features, use the fact that spring makes the request object available (ala LocalVariables, which is redundant with Spring)

@rzara rzara requested a review from pierrelevy April 17, 2019 10:11
@seboo seboo force-pushed the develop branch 3 times, most recently from 135e4f9 to e399c1d Compare July 27, 2021 10:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pierrelevy pierrelevy Awaiting requested review from pierrelevy

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rzara @jonenst