Merged 5.1.N (5.1.3) to 5.2.N (5.2.1)

134638 kroast: ACE-5700 - [Security] Reflected XSS in admin-tenantconsole git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@135777 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2017-03-13 14:05:21 +00:00
parent 0ec271c0b7
commit d08dd37c35
2 changed files with 80 additions and 0 deletions
--- a/config/alfresco/web-client-security-config.xml
+++ b/config/alfresco/web-client-security-config.xml
@@ -79,6 +79,66 @@
               <param name="cookie">{token}</param>
            </action>
         </rule>
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/wcservice/enterprise/admin/.*</path>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/wcs/enterprise/admin/.*</path>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/service/admin/.*</path>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/s/admin/.*</path>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/wcservice/admin/.*</path>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/wcs/admin/.*</path>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>

         <!--
            Verify multipart requests contain the token as a parameter
--- a/source/web/WEB-INF/web.xml
+++ b/source/web/WEB-INF/web.xml
@@ -257,6 +257,26 @@
      <url-pattern>/s/admin/*</url-pattern>
   </filter-mapping>
   
+   <filter-mapping>
+      <filter-name>CSRF Token Filter</filter-name>
+      <url-pattern>/wcservice/enterprise/admin/*</url-pattern>
+   </filter-mapping>
+
+   <filter-mapping>
+      <filter-name>CSRF Token Filter</filter-name>
+      <url-pattern>/wcs/enterprise/admin/*</url-pattern>
+   </filter-mapping>
+   
+   <filter-mapping>
+      <filter-name>CSRF Token Filter</filter-name>
+      <url-pattern>/wcservice/admin/*</url-pattern>
+   </filter-mapping>
+
+   <filter-mapping>
+      <filter-name>CSRF Token Filter</filter-name>
+      <url-pattern>/wcs/admin/*</url-pattern>
+   </filter-mapping>
+
   <!-- Enterprise filter-mapping placeholder -->

   <listener>