LupusNobilis
/
sogo
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

(feat) added AngularJS's XSRF support (#3246)

pull/207/head
Ludovic Marcotte 2016-04-26 11:06:44 -04:00
parent 2da7a04bac
commit 582baf2960
40 changed files with 224 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
NEWS
View File

@ -5,6 +5,7 @@ New features
- [core] new database structure options to make SOGo use a total of nine tables
- [core] new user-based rate-limiting support for all SOGo requests (#3188)
- [web] toolbar of all-day events can be expanded to display all events
- [web] added AngularJS's XSRF support (#3246)
Enhancements
- [web] updated Angular Material to version 1.0.6

1
SoObjects/SOGo/SOGoSystemDefaults.h
View File

@ -65,6 +65,7 @@
- (BOOL) uixDebugEnabled;
- (BOOL) easDebugEnabled;
- (BOOL) xsrfValidationEnabled;
- (NSString *) pageTitle;
- (NSString *) helpURL;

12
SoObjects/SOGo/SOGoSystemDefaults.m
View File

@ -430,6 +430,18 @@ _injectConfigurationFromFile (NSMutableDictionary *defaultsDict,
return [self boolForKey: @"SOGoEASDebugEnabled"];
}
- (BOOL) xsrfValidationEnabled
{
id o;
if (!(o = [self objectForKey: @"SOGoXSRFValidationEnabled"]))
{
return YES;
}
return [o boolValue];
}
- (NSString *) pageTitle
{
return [self stringForKey: @"SOGoPageTitle"];

2
UI/Common/GNUmakefile
View File

@ -21,7 +21,7 @@ CommonUI_OBJC_FILES += \
UIxTopnavToolbar.m \
UIxToolbar.m \
\
WODirectAction+SOGo.m \
SOGoDirectAction.m \
CommonUI_RESOURCE_FILES += \
product.plist

6
UI/Common/WODirectAction+SOGo.h → UI/Common/SOGoDirectAction.h
View File

@ -1,6 +1,6 @@
/* WODirectAction+SOGo.h - this file is part of SOGo
/* SOGoDirectAction.h - this file is part of SOGo
*
* Copyright (C) 2007-2015 Inverse inc.
* Copyright (C) 2007-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -26,7 +26,7 @@
@class NSString;
@class WOResponse, WOResourceManager;
@interface WODirectAction (SOGoExtension)
@interface SOGoDirectAction : WODirectAction
- (WOResponse *) responseWithStatus: (unsigned int) status;
- (WOResponse *) responseWithStatus: (unsigned int) status

42
UI/Common/WODirectAction+SOGo.m → UI/Common/SOGoDirectAction.m
View File

@ -1,6 +1,6 @@
/* WODirectAction+SOGo.m - this file is part of SOGo
/* SOGoDirectAction - this file is part of SOGo
*
* Copyright (C) 2007-2015 Inverse inc.
* Copyright (C) 2007-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -26,15 +26,19 @@
#import <SoObjects/SOGo/NSObject+Utilities.h>
#import <SoObjects/SOGo/NSDictionary+Utilities.h>
#import <SoObjects/SOGo/NSString+Crypto.h>
#import <SoObjects/SOGo/NSString+Utilities.h>
#import <SoObjects/SOGo/SOGoSession.h>
#import <SoObjects/SOGo/SOGoSystemDefaults.h>
#import <SoObjects/SOGo/SOGoWebAuthenticator.h>
#import <NGExtensions/NSObject+Logs.h>
#import "WODirectAction+SOGo.h"
#import "SOGoDirectAction.h"
static SoProduct *commonProduct = nil;
@implementation WODirectAction (SOGoExtension)
@implementation SOGoDirectAction
+ (void) initialize
{
@ -205,4 +209,34 @@ static SoProduct *commonProduct = nil;
return url;
}
//
// Protection against XSRF
//
- (id<WOActionResults>)performActionNamed:(NSString *)_actionName
{
SOGoWebAuthenticator *auth;
NSString *value, *token;
NSArray *creds;
if (![[SOGoSystemDefaults sharedSystemDefaults] xsrfValidationEnabled])
return [super performActionNamed: _actionName];
// We grab the X-XSRF-TOKEN header
token = [[context request] headerForKey: @"X-XSRF-TOKEN"];
// We compare it with our session key
auth = [[WOApplication application]
authenticatorInContext: context];
value = [[context request]
cookieValueForKey: [auth cookieNameInContext: context]];
creds = [auth parseCredentials: value];
value = [SOGoSession valueForSessionKey: [creds lastObject]];
if ([token isEqualToString: [value asSHA1String]])
return [super performActionNamed: _actionName];
return nil;
}
@end

6
UI/Common/UIxFolderActions.h
View File

@ -1,6 +1,6 @@
/* UIxFolderActions.h - this file is part of SOGo
*
* Copyright (C) 2007-2014 Inverse inc.
* Copyright (C) 2007-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -30,7 +30,9 @@
@class SOGoGCSFolder;
@class SOGoUserSettings;
@interface UIxFolderActions : WODirectAction
#include "SOGoDirectAction.h"
@interface UIxFolderActions : SOGoDirectAction
{
SOGoGCSFolder *clientObject;
LDAPUserManager *um;

4
UI/Common/UIxFolderActions.m
View File

@ -1,6 +1,6 @@
/* UIxFolderActions.m - this file is part of SOGo
*
* Copyright (C) 2007-2015 Inverse inc.
* Copyright (C) 2007-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -42,8 +42,6 @@
#import <Appointments/SOGoAppointmentFolder.h>
#import "WODirectAction+SOGo.h"
#import "UIxFolderActions.h"
@implementation UIxFolderActions

7
UI/Common/UIxObjectActions.h
View File

@ -1,8 +1,6 @@
/* UIxObjectActions.h - this file is part of SOGo
*
* Copyright (C) 2007 Inverse inc.
*
* Author: Wolfgang Sourdeau <wsourdeau@inverse.ca>
* Copyright (C) 2007-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -23,10 +21,11 @@
#ifndef UIXOBJECTACTIONS_H
#define UIXOBJECTACTIONS_H
#include "SOGoDirectAction.h"
@class WOResponse;
@interface UIxObjectActions : WODirectAction
@interface UIxObjectActions : SOGoDirectAction
- (WOResponse *) addUserInAclsAction;

2
UI/Common/UIxObjectActions.m
View File

@ -30,8 +30,6 @@
#import <SOGo/NSDictionary+Utilities.h>
#import "WODirectAction+SOGo.h"
#import "UIxObjectActions.h"
@implementation UIxObjectActions

7
UI/Common/UIxParentFolderActions.h
View File

@ -1,8 +1,6 @@
/* UIxParentFolderActions.h - this file is part of SOGo
*
* Copyright (C) 2007 Inverse inc.
*
* Author: Wolfgang Sourdeau <wsourdeau@inverse.ca>
* Copyright (C) 2007-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -23,8 +21,9 @@
#ifndef UIXPARENTFOLDERACTIONS_H
#define UIXPARENTFOLDERACTIONS_H
#include "SOGoDirectAction.h"
@interface UIxParentFolderActions : WODirectAction
@interface UIxParentFolderActions : SOGoDirectAction
@end
#endif /* UIXPARENTFOLDERACTIONS_H */

4
UI/Common/UIxParentFolderActions.m
View File

@ -1,6 +1,6 @@
/* UIxParentFolderActions.m - this file is part of SOGo
*
* Copyright (C) 2007-2015 Inverse inc.
* Copyright (C) 2007-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -29,8 +29,6 @@
#import <SOGo/NSDictionary+Utilities.h>
#import <SOGo/NSString+Utilities.h>
#import <UI/Common/WODirectAction+SOGo.h>
#import "UIxParentFolderActions.h"
@implementation UIxParentFolderActions

8
UI/Contacts/UIxContactActions.m
View File

@ -1,8 +1,6 @@
/* UIxContactActions.m - this file is part of SOGo
*
* Copyright (C) 2010 Inverse inc.
*
* Author: Wolfgang Sourdeau <wsourdeau@inverse.ca>
* Copyright (C) 2010-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -30,7 +28,7 @@
#import <Contacts/SOGoContactGCSEntry.h>
#import <Common/WODirectAction+SOGo.h>
#import <Common/SOGoDirectAction.h>
@interface NGVCard (SOGoActionCategory)
@ -80,7 +78,7 @@
@end
@interface UIxContactActions : WODirectAction
@interface UIxContactActions : SOGoDirectAction
- (WOResponse *) setCategoryAction;
- (WOResponse *) unsetCategoryAction;

39
UI/Contacts/UIxContactsListActions.h
View File

@ -1,34 +1,35 @@
/*
Copyright (C) 2004-2005 SKYRIX Software AG
This file is part of OpenGroupware.org.
OGo is free software; you can redistribute it and/or modify it under
the terms of the GNU Lesser General Public License as published by the
Free Software Foundation; either version 2, or (at your option) any
later version.
OGo is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
License for more details.
You should have received a copy of the GNU Lesser General Public
License along with OGo; see the file COPYING. If not, write to the
Free Software Foundation, 59 Temple Place - Suite 330, Boston, MA
02111-1307, USA.
Copyright (C) 2006-2016 Inverse inc.
This file is part of SOGo.
SOGo is free software; you can redistribute it and/or modify it under
the terms of the GNU Lesser General Public License as published by the
Free Software Foundation; either version 2, or (at your option) any
later version.
SOGo is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
License for more details.
You should have received a copy of the GNU Lesser General Public
License along with SOGo; see the file COPYING. If not, write to the
Free Software Foundation, 59 Temple Place - Suite 330, Boston, MA
02111-1307, USA.
*/
#ifndef __UIxContactsListActions_H__
#define __UIxContactsListActions_H__
#import <Common/SOGoDirectAction.h>
@class NSDictionary;
@class NSString;
@protocol SOGoContactObject;
@interface UIxContactsListActions : WODirectAction
@interface UIxContactsListActions : SOGoDirectAction
{
NSDictionary *currentContact;

3
UI/Contacts/UIxContactsListActions.m
View File

@ -37,9 +37,6 @@
#import <EOControl/EOQualifier.h>
#import <EOControl/EOSortOrdering.h>
#import <Common/WODirectAction+SOGo.h>
#import <SOGo/SOGoUser.h>
#import <SOGo/SOGoUserSettings.h>

9
UI/MailPartViewers/UIxMailPartICalActions.h
View File

@ -1,8 +1,6 @@
/* UIxMailPartICalActions.h - this file is part of SOGo
*
* Copyright (C) 2007 Inverse inc.
*
* Author: Wolfgang Sourdeau <wsourdeau@inverse.ca>
* Copyright (C) 2007-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -23,12 +21,13 @@
#ifndef UIXMAILPARTICALACTIONS_H
#define UIXMAILPARTICALACTIONS_H
@class iCalCalendar;
@class SOGoMailBodyPart;
@class WOResponse;
@interface UIxMailPartICalActions : WODirectAction
#import <UI/Common/SOGoDirectAction.h>
@interface UIxMailPartICalActions : SOGoDirectAction
- (WOResponse *) acceptAction;
- (WOResponse *) declineAction;

5
UI/MailPartViewers/UIxMailPartICalActions.m
View File

@ -1,6 +1,6 @@
/* UIxMailPartICalActions.m - this file is part of SOGo
*
* Copyright (C) 2007-2015 Inverse inc.
* Copyright (C) 2007-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -32,8 +32,6 @@
#import <NGCards/iCalCalendar.h>
#import <UI/Common/WODirectAction+SOGo.h>
#import <NGImap4/NGImap4EnvelopeAddress.h>
#import <Appointments/iCalEvent+SOGo.h>
@ -239,7 +237,6 @@
WOResponse *response;
SOGoAppointmentObject *eventObject;
iCalEvent *chosenEvent;
//NSException *ex;
chosenEvent = [self _setupChosenEventAndEventObject: &eventObject];
if (chosenEvent)

5
UI/MailerUI/UIxMailAccountActions.h
View File

@ -1,6 +1,6 @@
/* UIxMailAccountActions.h - this file is part of SOGo
*
* Copyright (C) 2007-2013 Inverse inc.
* Copyright (C) 2007-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -21,10 +21,11 @@
#ifndef UIXMAILACCOUNTACTIONS_H
#define UIXMAILACCOUNTACTIONS_H
#import <UI/Common/SOGoDirectAction.h>
@class WOResponse;
@interface UIxMailAccountActions : WODirectAction
@interface UIxMailAccountActions : SOGoDirectAction
{
}

4
UI/MailerUI/UIxMailAccountActions.m
View File

@ -1,6 +1,6 @@
/* UIxMailAccountActions.m - this file is part of SOGo
*
* Copyright (C) 2007-2014 Inverse inc.
* Copyright (C) 2007-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -34,8 +34,6 @@
#import <SOGo/SOGoDomainDefaults.h>
#import <SOGo/SOGoUser.h>
#import "../Common/WODirectAction+SOGo.h"
#import "UIxMailAccountActions.h"
@implementation UIxMailAccountActions

5
UI/MailerUI/UIxMailActions.h
View File

@ -1,6 +1,6 @@
/* UIxMailActions.h - this file is part of SOGo
*
* Copyright (C) 2007-2013 Inverse inc.
* Copyright (C) 2007-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -21,8 +21,9 @@
#ifndef UIXMAILACTIONS_H
#define UIXMAILACTIONS_H
#import <UI/Common/SOGoDirectAction.h>
@interface UIxMailActions : WODirectAction
@interface UIxMailActions : SOGoDirectAction
@end
#endif /* UIXMAILACTIONS_H */

2
UI/MailerUI/UIxMailActions.m
View File

@ -37,8 +37,6 @@
#import <SoObjects/SOGo/SOGoUserSettings.h>
#import <SoObjects/SOGo/SOGoUserDefaults.h>
#import "../Common/WODirectAction+SOGo.h"
#import "UIxMailActions.h"
@implementation UIxMailActions

3
UI/MailerUI/UIxMailFolderActions.h
View File

@ -21,10 +21,11 @@
#ifndef UIXMAILFOLDERACTIONS_H
#define UIXMAILFOLDERACTIONS_H
#import <UI/Common/SOGoDirectAction.h>
@class WOResponse;
@interface UIxMailFolderActions : WODirectAction
@interface UIxMailFolderActions : SOGoDirectAction
- (id <WOActionResults>) createFolderAction;
- (WOResponse *) renameFolderAction;

29
UI/MailerUI/UIxMailFolderActions.m
View File

@ -38,8 +38,6 @@
#import <SOGo/SOGoUser.h>
#import <SOGo/SOGoUserSettings.h>
#import <UI/Common/WODirectAction+SOGo.h>
#import "UIxMailFolderActions.h"
@implementation UIxMailFolderActions
@ -225,7 +223,6 @@
SOGoUserSettings *us;
WOResponse *response;
NSException *error;
BOOL moved;
co = [self clientObject];
@ -380,20 +377,20 @@
response = nil;
if ([value length] > 0)
{
uids = [value componentsSeparatedByString: @","];
response = [co archiveUIDs: uids
inArchiveNamed: [self labelForKey: @"Saved Messages.zip" inContext: context]
inContext: context];
if (!response)
response = [self responseWith204];
}
{
uids = [value componentsSeparatedByString: @","];
response = [co archiveUIDs: uids
inArchiveNamed: [self labelForKey: @"Saved Messages.zip" inContext: context]
inContext: context];
if (!response)
response = [self responseWith204];
}
else
{
jsonResponse = [NSDictionary dictionaryWithObject: [self labelForKey: @"Missing 'uid' parameter." inContext: context]
forKey: @"message"];
response = [self responseWithStatus: 500 andJSONRepresentation: jsonResponse];
}
{
jsonResponse = [NSDictionary dictionaryWithObject: [self labelForKey: @"Missing 'uid' parameter." inContext: context]
forKey: @"message"];
response = [self responseWithStatus: 500 andJSONRepresentation: jsonResponse];
}
return response;
}

8
UI/MailerUI/UIxMailListActions.h
View File

@ -1,6 +1,5 @@
/*
Copyright (C) 2004-2005 SKYRIX Software AG
Copyright (C) 2004-2014 Inverse inc
Copyright (C) 2004-2016 Inverse inc
This file is part of SOGo.
@ -23,13 +22,14 @@
#ifndef UIXMAILLISTACTIONS_H
#define UIXMAILLISTACTIONS_H
@class NSDictionary;
@class EOQualifier;
@class SOGoDateFormatter;
@class UIxMailSizeFormatter;
@interface UIxMailListActions : WODirectAction
#import <UI/Common/SOGoDirectAction.h>
@interface UIxMailListActions : SOGoDirectAction
{
NSArray *sortedUIDs; /* we always need to retrieve all anyway! */
NSArray *messages;

1
UI/MailerUI/UIxMailListActions.m
View File

@ -58,7 +58,6 @@
#import <SOGo/SOGoUserSettings.h>
#import <SOGo/WOResourceManager+SOGo.h>
#import <UI/Common/WODirectAction+SOGo.h>
#import <UI/MailPartViewers/UIxMailSizeFormatter.h>
#import "WOContext+UIxMailer.h"

5
UI/MailerUI/UIxMailSourceView.h
View File

@ -1,6 +1,6 @@
/* UIxMailSourceView.h - this file is part of SOGo
*
* Copyright (C) 2007-2015 Inverse inc.
* Copyright (C) 2007-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -21,8 +21,9 @@
#ifndef UIXMAILSOURCEVIEW_H
#define UIXMAILSOURCEVIEW_H
#import <UI/Common/SOGoDirectAction.h>
@interface UIxMailSourceView : WODirectAction
@interface UIxMailSourceView : SOGoDirectAction
@end

4
UI/MailerUI/UIxMailSourceView.m
View File

@ -1,6 +1,6 @@
/* UIxMailSourceView.m - this file is part of SOGo
*
* Copyright (C) 2007-2015 Inverse inc.
* Copyright (C) 2007-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -23,8 +23,6 @@
#import <SoObjects/Mailer/SOGoMailObject.h>
#import <UI/Common/WODirectAction+SOGo.h>
#import "UIxMailSourceView.h"
@implementation UIxMailSourceView

11
UI/MainUI/SOGoMicrosoftActiveSyncActions.m
View File

@ -1,5 +1,5 @@
/*
Copyright (C) 2014 Inverse inc.
Copyright (C) 2014-2016 Inverse inc.
This file is part of SOGo.
@ -23,10 +23,11 @@
#import <SOGo/SOGoCache.h>
#import <SOGo/NSObject+Utilities.h>
#import <NGObjWeb/NSException+HTTP.h>
#import <NGObjWeb/WOContext.h>
#import <NGObjWeb/WODirectAction.h>
#import <NGObjWeb/NSException+HTTP.h>
#import <NGObjWeb/WOResponse.h>
#import <Common/WODirectAction+SOGo.h>
#import <ActiveSync/SOGoActiveSyncDispatcher.h>
@interface SOGoMicrosoftActiveSyncActions : WODirectAction
@ -47,7 +48,9 @@
Class clazz;
request = (WORequest *)[context request];
response = [self responseWithStatus: 200];
response = [context response];
[response setStatus: 200];
[response setHeader: @"text/plain; charset=utf-8" forKey: @"content-type"];
bundle = [NSBundle bundleForClass: NSClassFromString(@"ActiveSyncProduct")];
clazz = [bundle classNamed: @"SOGoActiveSyncDispatcher"];

20
UI/MainUI/SOGoRootPage.m
View File

@ -36,6 +36,7 @@
#import <Appointments/SOGoAppointmentFolders.h>
#import <SOGo/NSString+Crypto.h>
#import <SOGo/NSString+Utilities.h>
#import <SOGo/SOGoBuild.h>
#import <SOGo/SOGoCache.h>
@ -170,14 +171,14 @@
{
WOResponse *response;
WORequest *request;
WOCookie *authCookie;
WOCookie *authCookie, *xsrfCookie;
SOGoWebAuthenticator *auth;
SOGoAppointmentFolders *calendars;
SOGoUserDefaults *ud;
SOGoUser *loggedInUser;
NSDictionary *params;
NSString *username, *password, *language, *domain, *remoteHost;
NSArray *supportedLanguages;
NSArray *supportedLanguages, *creds;
SOGoPasswordPolicyError err;
int expire, grace;
@ -232,6 +233,13 @@
inContext: context];
[response addCookie: authCookie];
// We prepare the XSRF protection cookie
creds = [auth parseCredentials: [authCookie value]];
xsrfCookie = [WOCookie cookieWithName: @"XSRF-TOKEN"
value: [[SOGoSession valueForSessionKey: [creds lastObject]] asSHA1String]];
[xsrfCookie setPath: [NSString stringWithFormat: @"/%@/", [[context request] applicationName]]];
[response addCookie: xsrfCookie];
supportedLanguages = [[SOGoSystemDefaults sharedSystemDefaults]
supportedLanguages];
loggedInUser = [SOGoUser userWithLogin: username];
@ -540,8 +548,8 @@
- (WOResponse *) changePasswordAction
{
NSString *username, *domain, *password, *newPassword, *value;
WOCookie *authCookie, *xsrfCookie;
NSDictionary *message;
WOCookie *authCookie;
NSArray *creds;
SOGoUserManager *um;
SOGoPasswordPolicyError error;
@ -592,6 +600,12 @@
andPassword: newPassword
inContext: context];
[response addCookie: authCookie];
// We update the XSRF protection cookie
creds = [auth parseCredentials: [authCookie value]];
xsrfCookie = [WOCookie cookieWithName: @"XSRF-TOKEN"
value: [[SOGoSession valueForSessionKey: [creds lastObject]] asSHA1String]];
[response addCookie: xsrfCookie];
}
else
response = [self _responseWithLDAPPolicyError: error];

8
UI/MainUI/SOGoUserHomePage.m
View File

@ -455,8 +455,8 @@
- (id <WOActionResults>) logoffAction
{
SOGoWebAuthenticator *auth;
NSString *userName, *value;
SOGoWebAuthenticator *auth;
WOResponse *response;
NSCalendarDate *date;
WOCookie *cookie;
@ -486,6 +486,12 @@
if (cookie)
[response addCookie: cookie];
// We remove the XSRF cookie
cookie = [WOCookie cookieWithName: @"XSRF-TOKEN" value: @"discard"];
[cookie setPath: [NSString stringWithFormat: @"/%@/", [[context request] applicationName]]];
[cookie setExpires: [date yesterday]];
[response addCookie: cookie];
[response setHeader: [date rfc822DateString] forKey: @"Last-Modified"];
[response setHeader: @"no-store, no-cache, must-revalidate,"
@" max-age=0, post-check=0, pre-check=0"

5
UI/PreferencesUI/UIxJSONPreferences.h
View File

@ -1,6 +1,6 @@
/* UIxJSONPreferences.h - this file is part of SOGo
*
* Copyright (C) 2007-2015 Inverse inc.
* Copyright (C) 2007-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -21,8 +21,9 @@
#ifndef UIXJSONPREFERENCES_H
#define UIXJSONPREFERENCES_H
#import <UI/Common/SOGoDirectAction.h>
@interface UIxJSONPreferences : WODirectAction
@interface UIxJSONPreferences : SOGoDirectAction
@end

2
UI/PreferencesUI/UIxJSONPreferences.m
View File

@ -35,8 +35,6 @@
#import <SOGo/WOResourceManager+SOGo.h>
#import <Mailer/SOGoMailLabel.h>
#import <UI/Common/WODirectAction+SOGo.h>
#import "UIxJSONPreferences.h"
static SoProduct *preferencesProduct = nil;

41
UI/SOGoUI/UIxComponent.m
View File

@ -34,11 +34,14 @@
#import <SOGo/NSCalendarDate+SOGo.h>
#import <SOGo/NSDictionary+Utilities.h>
#import <SOGo/NSObject+Utilities.h>
#import <SOGo/NSString+Crypto.h>
#import <SOGo/NSString+Utilities.h>
#import <SOGo/SOGoBuild.h>
#import <SOGo/SOGoSession.h>
#import <SOGo/SOGoSystemDefaults.h>
#import <SOGo/SOGoUser.h>
#import <SOGo/SOGoUserFolder.h>
#import <SOGo/SOGoWebAuthenticator.h>
#import <SOGo/WOContext+SOGo.h>
#import <SOGo/WOResourceManager+SOGo.h>
@ -763,4 +766,42 @@ static SoProduct *commonProduct = nil;
return [sd uixDebugEnabled];
}
//
// Protection against XSRF
//
- (id<WOActionResults>)performActionNamed:(NSString *)_actionName
{
SOGoWebAuthenticator *auth;
NSString *value, *token;
NSArray *creds;
if (![[SOGoSystemDefaults sharedSystemDefaults] xsrfValidationEnabled])
return [super performActionNamed: _actionName];
// If the action is 'connect' (or 'logoff'), we let it go as the token
// needs to be created (or destroyed) during the session initialization
if ([_actionName isEqualToString: @"connect"] ||
[_actionName isEqualToString: @"logoff"])
{
return [super performActionNamed: _actionName];
}
// We grab the X-XSRF-TOKEN header
token = [[context request] headerForKey: @"X-XSRF-TOKEN"];
// We compare it with our session key
auth = [[WOApplication application]
authenticatorInContext: context];
value = [[context request]
cookieValueForKey: [auth cookieNameInContext: context]];
creds = [auth parseCredentials: value];
value = [SOGoSession valueForSessionKey: [creds lastObject]];
if ([token isEqualToString: [value asSHA1String]])
return [super performActionNamed: _actionName];
return nil;
}
@end /* UIxComponent */

3
UI/Scheduler/UIxAppointmentActions.h
View File

@ -21,8 +21,9 @@
#ifndef UIXAPPOINTMENTACTIONS_H
#define UIXAPPOINTMENTACTIONS_H
#import <Common/SOGoDirectAction.h>
@interface UIxAppointmentActions : WODirectAction
@interface UIxAppointmentActions : SOGoDirectAction
@end

2
UI/Scheduler/UIxAppointmentActions.m
View File

@ -40,8 +40,6 @@
#import <Appointments/SOGoAppointmentFolder.h>
#import <Appointments/SOGoAppointmentFolders.h>
#import <Common/WODirectAction+SOGo.h>
#import "UIxAppointmentActions.h"
@implementation UIxAppointmentActions

6
UI/Scheduler/UIxCalListingActions.h
View File

@ -1,6 +1,6 @@
/* UIxCalListingActions.h - this file is part of SOGo
*
* Copyright (C) 2006-2015 Inverse inc.
* Copyright (C) 2006-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -21,7 +21,7 @@
#ifndef UIXCALLISTINGACTIONVIEW_H
#define UIXCALLISTINGACTIONVIEW_H
#import <Common/WODirectAction+SOGo.h>
#import <Common/SOGoDirectAction.h>
@class NSCalendarDate;
@class NSMutableDictionary;
@ -33,7 +33,7 @@
@class WOResponse;
@class WORequest;
@interface UIxCalListingActions : WODirectAction
@interface UIxCalListingActions : SOGoDirectAction
{
NSMutableDictionary *componentsData;
NSCalendarDate *startDate;

13
UI/Scheduler/UIxCalListingActions.m
View File

@ -47,8 +47,6 @@
#import <Appointments/SOGoAppointmentFolders.h>
#import <Appointments/SOGoWebAppointmentFolder.h>
#import <UI/Common/WODirectAction+SOGo.h>
#import "NSArray+Scheduler.h"
#import "UIxCalListingActions.h"
@ -638,7 +636,7 @@ static NSArray *tasksFields = nil;
NSDictionary *data;
NSEnumerator *folders;
unsigned int browserTime, laterTime;
// We look for alarms in the next 48 hours
browserTime = [[[context request] formValueForKey: @"browserTime"] intValue];
laterTime = browserTime + 60*60*48;
@ -779,7 +777,7 @@ static NSArray *tasksFields = nil;
unsigned int interval;
BOOL isAllDay;
NSString *sort, *ascending;
[self _setupContext];
[self saveFilterValue: @"EventsFilterState"];
[self saveSortValue: @"EventsSortingState"];
@ -1317,7 +1315,7 @@ _computeBlocksPosition (NSArray *blocks)
NSString *calendarName, *calendarId;
BOOL isAllDay;
int i, j;
[self _setupContext];
events = [self _fetchFields: eventsFields forComponentOfType: @"vevent"];
@ -1486,7 +1484,7 @@ _computeBlocksPosition (NSArray *blocks)
int statusCode;
int startSecs;
int endsSecs;
filteredTasks = [NSMutableArray array];
[self _setupContext];
@ -1573,9 +1571,8 @@ _computeBlocksPosition (NSArray *blocks)
SOGoAppointmentFolder *folder;
SOGoAppointmentFolders *co;
NSArray *folders;
int i;
co = [self clientObject];
folders = [co subFolders];
activeTasksByCalendars = [NSMutableDictionary dictionaryWithCapacity: [folders count]];

6
UI/Scheduler/UIxCalMainActions.h
View File

@ -1,6 +1,6 @@
/* UIxCalMainActions.h - this file is part of SOGo
*
* Copyright (C) 2009-2013 Inverse inc.
* Copyright (C) 2009-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -21,9 +21,9 @@
#ifndef UIXCALMAINACTIONS_H
#define UIXCALMAINACTIONS_H
#import <Common/WODirectAction+SOGo.h>
#import <Common/SOGoDirectAction.h>
@interface UIxCalMainActions : WODirectAction
@interface UIxCalMainActions : SOGoDirectAction
@end

2
UI/Scheduler/UIxCalMainActions.m
View File

@ -1,6 +1,6 @@
/* UIxCalMainActions.m - this file is part of SOGo
*
* Copyright (C) 2009-2015 Inverse inc.
* Copyright (C) 2009-2016 Inverse inc.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by

10
UI/WebServerResources/js/Common/Authentication.service.js
View File

@ -151,11 +151,17 @@
changePassword: function(newPassword) {
var d = $q.defer(),
loginCookie = readLoginCookie();
loginCookie = readLoginCookie(),
xsrfCookie = $cookies.get('XSRF-TOKEN');
$cookies.remove('XSRF-TOKEN', {path: '/SOGo/'});
$http({
method: 'POST',
url: '/SOGo/so/changePassword',
headers: {
'X-XSRF-TOKEN' : xsrfCookie
},
data: {
userName: loginCookie[0],
password: loginCookie[1],
@ -186,6 +192,8 @@
perr = passwordPolicyConfig.PolicyPasswordUnknown;
}
// Restore the cookie
$cookies.put('XSRF-TOKEN', xsrfCookie, {path: '/SOGo/'});
d.reject(error);
});
return d.promise;