From d08dd37c3505754e8d73ef1c4ebcac953917ad1a Mon Sep 17 00:00:00 2001
From: Kevin Roast <kevin.roast@alfresco.com>
Date: Mon, 13 Mar 2017 14:05:21 +0000
Subject: [PATCH] Merged 5.1.N (5.1.3) to 5.2.N (5.2.1)     134638 kroast:
 ACE-5700 - [Security] Reflected XSS in admin-tenantconsole

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@135777 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../alfresco/web-client-security-config.xml   | 60 +++++++++++++++++++
 source/web/WEB-INF/web.xml                    | 20 +++++++
 2 files changed, 80 insertions(+)

diff --git a/config/alfresco/web-client-security-config.xml b/config/alfresco/web-client-security-config.xml
index 226b1e6075..87f6dd1a7c 100644
--- a/config/alfresco/web-client-security-config.xml
+++ b/config/alfresco/web-client-security-config.xml
@@ -79,6 +79,66 @@
                <param name="cookie">{token}</param>
             </action>
          </rule>
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/wcservice/enterprise/admin/.*</path>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/wcs/enterprise/admin/.*</path>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/service/admin/.*</path>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/s/admin/.*</path>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/wcservice/admin/.*</path>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/wcs/admin/.*</path>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
 
          <!--
             Verify multipart requests contain the token as a parameter
diff --git a/source/web/WEB-INF/web.xml b/source/web/WEB-INF/web.xml
index b03a2196bc..037ff8a9c9 100644
--- a/source/web/WEB-INF/web.xml
+++ b/source/web/WEB-INF/web.xml
@@ -256,6 +256,26 @@
       <filter-name>CSRF Token Filter</filter-name>
       <url-pattern>/s/admin/*</url-pattern>
    </filter-mapping>
+   
+   <filter-mapping>
+      <filter-name>CSRF Token Filter</filter-name>
+      <url-pattern>/wcservice/enterprise/admin/*</url-pattern>
+   </filter-mapping>
+
+   <filter-mapping>
+      <filter-name>CSRF Token Filter</filter-name>
+      <url-pattern>/wcs/enterprise/admin/*</url-pattern>
+   </filter-mapping>
+   
+   <filter-mapping>
+      <filter-name>CSRF Token Filter</filter-name>
+      <url-pattern>/wcservice/admin/*</url-pattern>
+   </filter-mapping>
+
+   <filter-mapping>
+      <filter-name>CSRF Token Filter</filter-name>
+      <url-pattern>/wcs/admin/*</url-pattern>
+   </filter-mapping>
 
    <!-- Enterprise filter-mapping placeholder -->