/[Apache-SVN]
ViewVC logotype

Revision 1758771


Jump to revision: Previous Next
Author: reschke
Date: Thu Sep 1 12:44:49 2016 UTC (7 years, 6 months ago)
Changed paths: 6
Log Message:
JCR-4009: CSRF in Jackrabbit-Webdav (ported to 2.6) (CVE-2016-6801)

CSRFUtil: properly parse content types (handle params, normalize, handle case differences also multiple field instances), handle missing content type header field, handle partial-URI in referer, DEBUG logging

WebDAV servlet: disable bogus POST support

Davex: include Referer header field in POST requests used for davex remoting

Changed paths

Path Details
Directoryjackrabbit/branches/2.6/ modified , props changed
Directoryjackrabbit/branches/2.6/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java modified , text changed
Directoryjackrabbit/branches/2.6/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java modified , text changed
Directoryjackrabbit/branches/2.6/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java modified , text changed
Directoryjackrabbit/branches/2.6/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java modified , text changed
Directoryjackrabbit/branches/2.6/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/util/CSRFUtilTest.java modified , text changed

infrastructure at apache.org
ViewVC Help
Powered by ViewVC 1.1.26