From da445542435aa2041616625fb9967b740faa8683 Mon Sep 17 00:00:00 2001 From: Hasunie Date: Mon, 16 Jan 2017 18:36:21 +0530 Subject: [PATCH 1/3] fixing CSRF issue in IOT server login --- .../repository/conf/security/Owasp.CsrfGuard.Carbon.properties | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/analytics/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties b/modules/analytics/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties index 2b5a7b42..bf41e0ee 100644 --- a/modules/analytics/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties +++ b/modules/analytics/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties @@ -454,3 +454,6 @@ org.owasp.csrfguard.unprotected.JsApi=%servletContext%/portal/apis/analytics/* org.owasp.csrfguard.unprotected.Servlet=%servletContext%/analytics-api/* org.owasp.csrfguard.unprotected.ml=%servletContext%/api/login* org.owasp.csrfguard.unprotected.passivests=%servletContext%/acs/* +org.owasp.csrfguard.unprotected.deviceMgtSSOAcs=%servletContext%/devicemgt/uuf/sso/acs +org.owasp.csrfguard.unprotected.deviceMgtAcs=%servletContext%/uuf/sso/acs +org.owasp.csrfguard.unprotected.deviceMgtApi=%servletContext%/devicemgt/api/invoker/execute/* From b74ea7baca128a5fc0428c24fd02c56ac66c328d Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Mon, 16 Jan 2017 23:36:01 +0530 Subject: [PATCH 2/3] Adding escape urls to csrf gurad --- .../conf/security/Owasp.CsrfGuard.Carbon.properties | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties b/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties index 1dc9d20e..bf300027 100644 --- a/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties +++ b/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties @@ -462,11 +462,14 @@ org.owasp.csrfguard.unprotected.storeRestApi=%servletContext%/api/appm/store/* org.owasp.csrfguard.unprotected.certificateMgtRestApi=%servletContext%/api/certificate-mgt/* org.owasp.csrfguard.unprotected.deviceMgtRestApi=%servletContext%/api/device-mgt/* org.owasp.csrfguard.unprotected.dcrRestApi=%servletContext%/dynamic-client-web/* - +org.owasp.csrfguard.unprotected.deviceMgtSSOAcs=%servletContext%/devicemgt/uuf/sso/acs +org.owasp.csrfguard.unprotected.deviceMgtAcs=%servletContext%/uuf/sso/acs +org.owasp.csrfguard.unprotected.deviceMgtApi=%servletContext%/devicemgt/api/invoker/execute/* + #carbon org.owasp.csrfguard.unprotected.Services=%servletContext%/services/* #identity org.owasp.csrfguard.unprotected.acs=%servletContext%/acs/* org.owasp.csrfguard.unprotected.iwa=%servletContext%/iwa/* -org.owasp.csrfguard.unprotected.oauthiwa=%servletContext%/commonauth/iwa/* \ No newline at end of file +org.owasp.csrfguard.unprotected.oauthiwa=%servletContext%/commonauth/iwa/*