Merged 5.2.N (5.2.1) to HEAD (5.2)

131530 kroast: ACE-4881 - [Pentest 121015] Multiple admin CSRF - Fix issue spotted by Michael Suzuki, where the /s endpoint was not configured correctly to generate CSRF tokens git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@132270 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2016-11-03 13:53:13 +00:00
parent 01156b23b5
commit 507e3f1c04
1 changed files with 10 additions and 0 deletions
--- a/config/alfresco/web-client-security-config.xml
+++ b/config/alfresco/web-client-security-config.xml
@@ -69,6 +69,16 @@
               <param name="cookie">{token}</param>
            </action>
         </rule>
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/s/enterprise/admin/.*</path>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>

         <!--
            Verify multipart requests contain the token as a parameter