From 507e3f1c04320ecb4d2a0fe2073dad5511b58f8b Mon Sep 17 00:00:00 2001
From: Alan Davis <alan.davis@alfresco.com>
Date: Thu, 3 Nov 2016 13:53:13 +0000
Subject: [PATCH] Merged 5.2.N (5.2.1) to HEAD (5.2)    131530 kroast: ACE-4881
 - [Pentest 121015] Multiple admin CSRF       - Fix issue spotted by Michael
 Suzuki, where the /s endpoint was not configured correctly to generate CSRF
 tokens

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@132270 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 config/alfresco/web-client-security-config.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/config/alfresco/web-client-security-config.xml b/config/alfresco/web-client-security-config.xml
index bb620d3668..226b1e6075 100644
--- a/config/alfresco/web-client-security-config.xml
+++ b/config/alfresco/web-client-security-config.xml
@@ -69,6 +69,16 @@
                <param name="cookie">{token}</param>
             </action>
          </rule>
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/s/enterprise/admin/.*</path>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
 
          <!--
             Verify multipart requests contain the token as a parameter