| 962865 10.07.2010 18:10:33, by
markt
Improve CSRF protection filter by using SecureRandom rather than Random |
| 957828 25.06.2010 09:47:31, by
markt
Switch the Host Manager app to the generic CSRF protection Don't allow starting of hosts that are started Don't allow stopping of hosts that are stopped |
957478 24.06.2010 11:57:02, by
markt
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49476 CSRF protection was preventing access to session expiration features Also: - Switch Manager app to generic CSRF protection - Add support for multiple nonces to CSRF filter - Improve 403 page - Don't open JSP pages in session expiration in a new window - makes CSRF prevention a real pain |
| 956392 20.06.2010 21:39:21, by
markt
Propose CSRF protection back-port |
| 956385 20.06.2010 20:59:51, by
markt
Add entryPoint support to the CSRF prevention filter. |
| 942157 07.05.2010 19:38:03, by
markt
Add a simple CSRF prevention filter. It has been tested with the Tomcat 6 manager app and a back-port proposal will follow shortly. |
| 915387 23.02.2010 16:38:26, by
dejanb
|
| 915384 23.02.2010 16:24:30, by
dejanb
|
| 826295 17.10.2009 21:27:12, by
markt
Part 2 of CSRF protection for the host manager. Use POST and require valid nonce. |
| 826294 17.10.2009 21:25:11, by
markt
Part 1 of CSRF protection for host manager. Move text interface from / to /text, add extra role for /text. Port 401.jsp and 404.jsp from manager. |
| 823975 11.10.2009 01:11:30, by
markt
Use a nonce to provide CSRF protection |
823962 10.10.2009 23:54:54, by
markt
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=40001 Use POST rather than GET for all operations that are not idempotent Partly based on a patch suggested by Daniel Naber Remove the "Are you sure?", partly due to lack of i18n support and since as (based on my recollection) as many people disliked the feature as liked it. Provides a (very) small measure of CSRF protection but lays the foundation for using a nonce with POST. |
722044 01.12.2008 12:47:48, by
thrantal
WICKET-1886: Fixed testing things that require cookies persisted over multiple requests, such as CSRF protection in a hidden Form fields. An even more straight forward option would have been to remove clearing cookies in MockWebApplication.initialize(), and copy cookies to each request from response, because after all the lifecycle of a WicketTester (MockWebApplication) instance should be such that cookies could be preserved there. Backport from trunk. |
722039 01.12.2008 12:25:55, by
thrantal
WICKET-1886: Fixed testing things that require cookies persisted over multiple requests, such as CSRF protection in a hidden Form fields. An even more straight forward option would have been to remove clearing cookies in MockWebApplication.initialize(), and copy cookies to each request from response, because after all the lifecycle of a WicketTester (MockWebApplication) instance should be such that cookies could be preserved there. |
| 684127 09.08.2008 00:12:53, by
ivaynberg
|
| 684126 09.08.2008 00:12:04, by
ivaynberg
|
663514 05.06.2008 12:01:30, by
jim
Merge r661666 from trunk: Prevent CSRF attacks against the balancer-manager ( CVE-2007-6420) * modules/proxy/mod_proxy_balancer.c (balancer_init): New function. (balancer_handler): Place a nonce in the form output, and check that the submitted form data includes that nonce. (ap_proxy_balancer_register_hook): Register the new post_config hook. Submitted by: jorton Reviewed by: jim |
661666 30.05.2008 13:49:31, by
jorton
Prevent CSRF attacks against the balancer-manager ( CVE-2007-6420) * modules/proxy/mod_proxy_balancer.c (balancer_init): New function. (balancer_handler): Place a nonce in the form output, and check that the submitted form data includes that nonce. (ap_proxy_balancer_register_hook): Register the new post_config hook. |
|
|