Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0051321 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| defect | [Openbravo ERP] A. Platform | major | have not tried | 2023-01-10 15:16 | 2024-02-26 14:00 | |||
| Reporter | AugustoMauch | View Status | public | |||||
| Assigned To | jarmendariz | |||||||
| Priority | normal | Resolution | fixed | Fixed in Version | PR24Q2 | |||
| Status | closed | Fix in branch | Fixed in SCM revision | |||||
| Projection | none | ETA | none | Target Version | ||||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Review Assigned To | ||||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0051321: Improve CSRF coverage to cover some missing POST requests | |||||||
| Description | POST requests of action handlers covered by KernelServlet are not checking the CSRF token (i.e. change of role from WebPOS). A CSRF token check should be added here [1]. [1] https://gitlab.com/openbravo/product/openbravo/-/blob/master/modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/KernelServlet.java#L291 [^] | |||||||
| Steps To Reproduce | Open WebPOS Change the role. Notice that no CSRF token is included, but the POST request is processed with success (see image) | |||||||
| Tags | No tags attached. | |||||||
| Attached Files |  0051321.png [^] (30,111 bytes) 2023-10-24 15:03
POST_Request_200.png [^] (234,243 bytes) 2024-01-25 10:58
POST_Request_No_CSRF.png [^] (219,679 bytes) 2024-01-25 10:59
| |||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
|||||||||||||||||
|
|||||||||||||||||
 Relationships |
|
Notes |
|
|
(0145243) hgbot (developer) 2023-01-10 16:27 |
Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/807 [^] |
|
(0156231) fermin_ostivar (developer) 2023-10-24 15:01 |
With the current fix, it is not possible to change the role. |
|
(0160025) hgbot (developer) 2024-01-31 16:13 |
Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/merge_requests/658 [^] |
|
(0160875) hgbot (developer) 2024-02-18 22:11 |
Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/merge_requests/1373 [^] |
|
(0161255) hgbot (developer) 2024-02-26 12:26 |
Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/merge_requests/658 [^] |
|
(0161256) hgbot (developer) 2024-02-26 12:26 |
Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core [^] Changeset: aaa0e69362ff1aa854c5a639ecc241d2ee760aa3 Author: Javier Armendáriz <javier.armendariz@openbravo.com> Date: 26-02-2024 09:09:23 URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/commit/aaa0e69362ff1aa854c5a639ecc241d2ee760aa3 [^] Related to ISSUE-51321: Added CSRF token to POST request in request router --- M web/org.openbravo.mobile.core/source/data/ob-requestrouter.js --- |
|
(0161259) hgbot (developer) 2024-02-26 13:59 |
Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2 [^] Changeset: 8fb7d37ca5c4909f85e6f8efa8bf682ed6f8761a Author: Javier Armendáriz <javier.armendariz@openbravo.com> Date: 26-02-2024 09:09:24 URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/commit/8fb7d37ca5c4909f85e6f8efa8bf682ed6f8761a [^] Related to ISSUE-51321: Adding CSRF to profile switch request --- M web-jspack/org.openbravo.core2/src/components/AppBar/ProfileSelector/ProfileSelector.jsx --- |
|
(0161260) hgbot (developer) 2024-02-26 13:59 |
Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/merge_requests/1373 [^] |
|
(0161261) hgbot (developer) 2024-02-26 14:00 |
Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/807 [^] |
|
(0161262) hgbot (developer) 2024-02-26 14:00 |
Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/openbravo/product/openbravo [^] Changeset: 01c9d899e4fab5431f3ab1d2d87c92297fcf464d Author: Guillermo Dagnesses Segura <guillermo.dagnesses@doceleguas.com> Date: 26-02-2024 14:00:13 URL: https://gitlab.com/openbravo/product/openbravo/-/commit/01c9d899e4fab5431f3ab1d2d87c92297fcf464d [^] Fixed ISSUE-51321: Checking CSRF token in missing flows --- M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/utilities/ob-remote-call-manager.js M modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/BaseActionHandler.java M src-db/database/sourcedata/AD_PREFERENCE.xml M src-db/database/sourcedata/AD_REF_LIST.xml M src-test/src/org/openbravo/test/datasource/BaseDataSourceTestDal.java M src-test/src/org/openbravo/test/datasource/BaseDataSourceTestNoDal.java M src-test/src/org/openbravo/test/datasource/DatasourceTestUtil.java M src-test/src/org/openbravo/test/datasource/FICTest.java M src-test/src/org/openbravo/test/datasource/TestComboDatasource.java M src-test/src/org/openbravo/test/selector/TestSelectorDefaultFilterActionHandler.java M src/org/openbravo/erpCommon/utility/CsrfUtil.java --- |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2023-01-10 15:16 | AugustoMauch | New Issue | |
| 2023-01-10 15:16 | AugustoMauch | Assigned To | => gdagnesses |
| 2023-01-10 15:16 | AugustoMauch | Modules | => Core |
| 2023-01-10 15:16 | AugustoMauch | Triggers an Emergency Pack | => No |
| 2023-01-10 16:27 | hgbot | Note Added: 0145243 | |
| 2023-01-12 09:42 | AugustoMauch | Status | new => scheduled |
| 2023-10-24 15:01 | fermin_ostivar | Note Added: 0156231 | |
| 2023-10-24 15:01 | fermin_ostivar | Assigned To | gdagnesses => |
| 2023-10-24 15:03 | fermin_ostivar | File Added: 0051321.png | |
| 2023-12-05 14:07 | hector_hernaez | Issue Monitored: hector_hernaez | |
| 2023-12-21 13:33 | egoitz | Assigned To | => AugustoMauch |
| 2024-01-25 10:57 | AugustoMauch | Summary | Improve CSRF coverage => Improve CSRF coverage to cover some missing POST requests |
| 2024-01-25 10:57 | AugustoMauch | Description Updated | View Revisions |
| 2024-01-25 10:57 | AugustoMauch | Steps to Reproduce Updated | View Revisions |
| 2024-01-25 10:58 | AugustoMauch | File Added: POST_Request_200.png | |
| 2024-01-25 10:59 | AugustoMauch | File Added: POST_Request_No_CSRF.png | |
| 2024-01-25 10:59 | AugustoMauch | Assigned To | AugustoMauch => jarmendariz |
| 2024-01-31 16:13 | hgbot | Note Added: 0160025 | |
| 2024-02-01 14:20 | maite | Issue Monitored: networkb | |
| 2024-02-18 22:11 | hgbot | Note Added: 0160875 | |
| 2024-02-26 12:26 | hgbot | Note Added: 0161255 | |
| 2024-02-26 12:26 | hgbot | Note Added: 0161256 | |
| 2024-02-26 13:59 | hgbot | Note Added: 0161259 | |
| 2024-02-26 13:59 | hgbot | Note Added: 0161260 | |
| 2024-02-26 14:00 | hgbot | Note Added: 0161261 | |
| 2024-02-26 14:00 | hgbot | Resolution | open => fixed |
| 2024-02-26 14:00 | hgbot | Status | scheduled => closed |
| 2024-02-26 14:00 | hgbot | Fixed in Version | => PR24Q2 |
| 2024-02-26 14:00 | hgbot | Note Added: 0161262 | |
| 2024-03-11 10:27 | AugustoMauch | Relationship added | causes 0054801 |
| 2024-03-22 11:35 | alostale | Relationship added | causes 0055012 |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |