Example 1 with RequestContext
use of com.zimbra.soap.RequestContext in project zm-mailbox by Zimbra.
the class DefangFilterTest method testBug83999.
@Test
public void testBug83999() throws IOException {
RequestContext reqContext = new RequestContext();
reqContext.setVirtualHost("mail.zimbra.com");
ZThreadLocal.setContext(reqContext);
String html = "<FORM NAME=\"buy\" ENCTYPE=\"text/plain\" " + "action=\"http://mail.zimbra.com:7070/service/soap/ModifyFilterRulesRequest\" METHOD=\"POST\">";
InputStream htmlStream = new ByteArrayInputStream(html.getBytes());
String result = DefangFactory.getDefanger(MimeConstants.CT_TEXT_HTML).defang(htmlStream, true);
Assert.assertTrue(result.contains("SAMEHOSTFORMPOST-BLOCKED"));
html = "<FORM NAME=\"buy\" ENCTYPE=\"text/plain\" " + "action=\"http://zimbra.vmware.com:7070/service/soap/ModifyFilterRulesRequest\" METHOD=\"POST\">";
htmlStream = new ByteArrayInputStream(html.getBytes());
result = DefangFactory.getDefanger(MimeConstants.CT_TEXT_HTML).defang(htmlStream, true);
Assert.assertTrue(!result.contains("SAMEHOSTFORMPOST-BLOCKED"));
html = "<FORM NAME=\"buy\" ENCTYPE=\"text/plain\" " + "action=\"http://mail.zimbra.com/service/soap/ModifyFilterRulesRequest\" METHOD=\"POST\">";
htmlStream = new ByteArrayInputStream(html.getBytes());
result = DefangFactory.getDefanger(MimeConstants.CT_TEXT_HTML).defang(htmlStream, true);
Assert.assertTrue(result.contains("SAMEHOSTFORMPOST-BLOCKED"));
html = "<FORM NAME=\"buy\" ENCTYPE=\"text/plain\" " + "action=\"/service/soap/ModifyFilterRulesRequest\" METHOD=\"POST\">";
htmlStream = new ByteArrayInputStream(html.getBytes());
result = DefangFactory.getDefanger(MimeConstants.CT_TEXT_HTML).defang(htmlStream, true);
Assert.assertTrue(result.contains("SAMEHOSTFORMPOST-BLOCKED"));
ZThreadLocal.unset();
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
FileInputStream(java.io.FileInputStream)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InputStream(java.io.InputStream)
RequestContext(com.zimbra.soap.RequestContext)
Test(org.junit.Test)
Example 2 with RequestContext
use of com.zimbra.soap.RequestContext in project zm-mailbox by Zimbra.
the class CsrfFilter method doFilter.
/*
* (non-Javadoc)
*
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
* javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
ZimbraLog.clearContext();
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
req.setAttribute(CSRF_SALT, nonceGen.nextInt() + 1);
if (ZimbraLog.misc.isDebugEnabled()) {
ZimbraLog.misc.debug("CSRF Request URI: " + req.getRequestURI());
}
boolean csrfCheckEnabled = Boolean.FALSE;
boolean csrfRefererCheckEnabled = Boolean.FALSE;
Provisioning prov = Provisioning.getInstance();
try {
csrfCheckEnabled = prov.getConfig().isCsrfTokenCheckEnabled();
csrfRefererCheckEnabled = prov.getConfig().isCsrfRefererCheckEnabled();
} catch (ServiceException e) {
ZimbraLog.misc.info("Error in CSRF filter." + e.getMessage(), e);
}
if (ZimbraLog.misc.isDebugEnabled()) {
ZimbraLog.misc.debug("CSRF filter was initialized : " + "CSRFcheck enabled: " + csrfCheckEnabled + "CSRF referer check enabled: " + csrfRefererCheckEnabled + ", CSRFAllowedRefHost: [" + Joiner.on(", ").join(this.allowedRefHosts) + "]" + ", CSRFTokenValidity " + this.maxCsrfTokenValidityInMs + "ms.");
}
if (ZimbraLog.misc.isTraceEnabled()) {
Enumeration<String> hdrNames = req.getHeaderNames();
ZimbraLog.misc.trace("Soap request headers.");
while (hdrNames.hasMoreElements()) {
String name = hdrNames.nextElement();
// we do not want to print cookie headers for security reasons.
if (name.contains(HttpHeaders.COOKIE))
continue;
ZimbraLog.misc.trace(name + "=" + req.getHeader(name));
}
}
if (csrfRefererCheckEnabled) {
if (!allowReqBasedOnRefererHeaderCheck(req)) {
ZimbraLog.misc.info("CSRF referer check failed");
resp.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
}
if (!csrfCheckEnabled) {
req.setAttribute(CSRF_TOKEN_CHECK, Boolean.FALSE);
chain.doFilter(req, resp);
} else {
req.setAttribute(Provisioning.A_zimbraCsrfTokenCheckEnabled, Boolean.TRUE);
AuthToken authToken = CsrfUtil.getAuthTokenFromReq(req);
if (CsrfUtil.doCsrfCheck(req, authToken)) {
// post request and Auth token is CSRF enabled
req.setAttribute(CSRF_TOKEN_CHECK, Boolean.TRUE);
} else {
req.setAttribute(CSRF_TOKEN_CHECK, Boolean.FALSE);
ZimbraLog.misc.debug("CSRF check will not be done for URI : %s", req.getRequestURI());
}
chain.doFilter(req, resp);
}
try {
// We need virtual host information in DefangFilter
// Set them in ThreadLocal here
RequestContext reqCtxt = new RequestContext();
String host = CsrfUtil.getRequestHost(req);
reqCtxt.setVirtualHost(host);
ZThreadLocal.setContext(reqCtxt);
} finally {
// Unset the variables set in thread local
ZThreadLocal.unset();
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ServiceException(com.zimbra.common.service.ServiceException)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthToken(com.zimbra.cs.account.AuthToken)
RequestContext(com.zimbra.soap.RequestContext)
Provisioning(com.zimbra.cs.account.Provisioning)
Aggregations
RequestContext (com.zimbra.soap.RequestContext)2
ServiceException (com.zimbra.common.service.ServiceException)1
AuthToken (com.zimbra.cs.account.AuthToken)1
Provisioning (com.zimbra.cs.account.Provisioning)1
ByteArrayInputStream (java.io.ByteArrayInputStream)1
FileInputStream (java.io.FileInputStream)1
InputStream (java.io.InputStream)1
HttpServletRequest (javax.servlet.http.HttpServletRequest)1
HttpServletResponse (javax.servlet.http.HttpServletResponse)1
Test (org.junit.Test)1
