Tuesday, July 23, 2013

CSRF Policy in Alfresco Share

Since Enterprise 4.1.4, a new CSRF (Cross Site Request Forgery) Policy has been introduced in Alfresco Share.
Should you want to learn more about this, this should be useful https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Mostly, it does not affect you, but in some cases it does. Here are some of the scenarios.
  • You are making an XMLHttpRequest with method POST, PUT or DELETE without using the Alfresco.util.Ajax or alfresco/core/CoreXhr classes 
  • You are making a form upload with enctype multipart/form-data without using Alfresco.forms.Form 
  • You are using a flash movie inside Share to send http requests with method POST 
  • You are writing a non-browser client, i.e. a mobile app 
  • Another system is sending POST requests to your Alfresco Share server 
  • You are running Alfresco Share behind one or more proxy server(s) and I get errors… 
Of course, there are individual methods to handle these situations using CSRFPolicy configurations, however, sometimes you would want to disable this filter altogether.

For that, simply add the following code snippet in your share-config-custom.xml file.

<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
   <filter>
      <rule>
         <request>
            <method>POST|PUT|DELETE</method>
            <session>
               <attribute name="_alf_USER_ID">.*</attribute>
            </session>
         </request>
         <action name="assertReferer">
            <param name="always">false</param>
         </action>
         <action name="assertOrigin">
            <param name="always">false</param>
         </action>
      </rule>
   </filter>
</config>



Thanks to Erik Winlof for the detailed information.

No comments:

Post a Comment