(feat) added AngularJS's XSRF support (#3246)

2016-04-26 11:06:44 -04:00 · 2016-04-26 11:06:44 -04:00 · 582baf2960
parent 2da7a04bac
commit 582baf2960
40 changed files with 224 additions and 129 deletions
--- a/1
+++ b/1
@ -5,6 +5,7 @@ New features
 - [core] new database structure options to make SOGo use a total of nine tables
 - [core] new user-based rate-limiting support for all SOGo requests (#3188)
 - [web] toolbar of all-day events can be expanded to display all events
+ - [web] added AngularJS's XSRF support (#3246)

 Enhancements
 - [web] updated Angular Material to version 1.0.6
--- a/SoObjects/SOGo/SOGoSystemDefaults.h
+++ b/SoObjects/SOGo/SOGoSystemDefaults.h
@ -65,6 +65,7 @@

 - (BOOL) uixDebugEnabled;
 - (BOOL) easDebugEnabled;
+- (BOOL) xsrfValidationEnabled;

 - (NSString *) pageTitle;
 - (NSString *) helpURL;
--- a/SoObjects/SOGo/SOGoSystemDefaults.m
+++ b/SoObjects/SOGo/SOGoSystemDefaults.m
@ -430,6 +430,18 @@ _injectConfigurationFromFile (NSMutableDictionary *defaultsDict,
  return [self boolForKey: @"SOGoEASDebugEnabled"];
 }

+- (BOOL) xsrfValidationEnabled
+{
+  id o;
+
+  if (!(o = [self objectForKey: @"SOGoXSRFValidationEnabled"]))
+    {
+      return YES;
+    }
+
+  return [o boolValue];
+}
+
 - (NSString *) pageTitle
 {
  return [self stringForKey: @"SOGoPageTitle"];
--- a/UI/Common/GNUmakefile
+++ b/UI/Common/GNUmakefile
@ -21,7 +21,7 @@ CommonUI_OBJC_FILES +=			\
 	UIxTopnavToolbar.m      	\
 	UIxToolbar.m			\
 	\
-	WODirectAction+SOGo.m		\
+	SOGoDirectAction.m		\

 CommonUI_RESOURCE_FILES += \
 	product.plist
--- a/UI/Common/WODirectAction+SOGo.h
+++ b/UI/Common/WODirectAction+SOGo.h
@ -1,6 +1,6 @@
-/* WODirectAction+SOGo.h - this file is part of SOGo
+/* SOGoDirectAction.h - this file is part of SOGo
 *
- * Copyright (C) 2007-2015 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -26,7 +26,7 @@
@class NSString;
@class WOResponse, WOResourceManager;

-@interface WODirectAction (SOGoExtension)
+@interface SOGoDirectAction : WODirectAction

 - (WOResponse *) responseWithStatus: (unsigned int) status;
 - (WOResponse *) responseWithStatus: (unsigned int) status
--- a/UI/Common/WODirectAction+SOGo.m
+++ b/UI/Common/WODirectAction+SOGo.m
@ -1,6 +1,6 @@
-/* WODirectAction+SOGo.m - this file is part of SOGo
+/* SOGoDirectAction - this file is part of SOGo
 *
- * Copyright (C) 2007-2015 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -26,15 +26,19 @@

 #import <SoObjects/SOGo/NSObject+Utilities.h>
 #import <SoObjects/SOGo/NSDictionary+Utilities.h>
+#import <SoObjects/SOGo/NSString+Crypto.h>
 #import <SoObjects/SOGo/NSString+Utilities.h>
+#import <SoObjects/SOGo/SOGoSession.h>
+#import <SoObjects/SOGo/SOGoSystemDefaults.h>
+#import <SoObjects/SOGo/SOGoWebAuthenticator.h>

 #import <NGExtensions/NSObject+Logs.h>

-#import "WODirectAction+SOGo.h"
+#import "SOGoDirectAction.h"

 static SoProduct      *commonProduct      = nil;

-@implementation WODirectAction (SOGoExtension)
+@implementation SOGoDirectAction

 + (void) initialize
 {
@ -205,4 +209,34 @@ static SoProduct      *commonProduct      = nil;
  return url;
 }

+//
+// Protection against XSRF
+//
+- (id<WOActionResults>)performActionNamed:(NSString *)_actionName
+{
+  SOGoWebAuthenticator *auth;
+  NSString *value, *token;
+  NSArray *creds;
+
+  if (![[SOGoSystemDefaults sharedSystemDefaults] xsrfValidationEnabled])
+    return [super performActionNamed: _actionName];
+
+  // We grab the X-XSRF-TOKEN header
+  token = [[context request] headerForKey: @"X-XSRF-TOKEN"];
+
+  // We compare it with our session key
+  auth = [[WOApplication application]
+           authenticatorInContext: context];
+  value = [[context request]
+           cookieValueForKey: [auth cookieNameInContext: context]];
+  creds = [auth parseCredentials: value];
+
+  value = [SOGoSession valueForSessionKey: [creds lastObject]];
+
+  if ([token isEqualToString: [value asSHA1String]])
+    return [super performActionNamed: _actionName];
+
+  return nil;
+}
+
@end
--- a/UI/Common/UIxFolderActions.h
+++ b/UI/Common/UIxFolderActions.h
@ -1,6 +1,6 @@
 /* UIxFolderActions.h - this file is part of SOGo
 *
- * Copyright (C) 2007-2014 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -30,7 +30,9 @@
@class SOGoGCSFolder;
@class SOGoUserSettings;

-@interface UIxFolderActions : WODirectAction
+#include "SOGoDirectAction.h"
+
+@interface UIxFolderActions : SOGoDirectAction
 {
  SOGoGCSFolder *clientObject;
  LDAPUserManager *um;
--- a/UI/Common/UIxFolderActions.m
+++ b/UI/Common/UIxFolderActions.m
@ -1,6 +1,6 @@
 /* UIxFolderActions.m - this file is part of SOGo
 *
- * Copyright (C) 2007-2015 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -42,8 +42,6 @@

 #import <Appointments/SOGoAppointmentFolder.h>

-#import "WODirectAction+SOGo.h"
-
 #import "UIxFolderActions.h"

@implementation UIxFolderActions
--- a/UI/Common/UIxObjectActions.h
+++ b/UI/Common/UIxObjectActions.h
@ -1,8 +1,6 @@
 /* UIxObjectActions.h - this file is part of SOGo
 *
- * Copyright (C) 2007 Inverse inc.
- *
- * Author: Wolfgang Sourdeau <wsourdeau@inverse.ca>
+ * Copyright (C) 2007-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -23,10 +21,11 @@
 #ifndef UIXOBJECTACTIONS_H
 #define UIXOBJECTACTIONS_H

+#include "SOGoDirectAction.h"

@class WOResponse;

-@interface UIxObjectActions : WODirectAction
+@interface UIxObjectActions : SOGoDirectAction

 - (WOResponse *) addUserInAclsAction;

--- a/UI/Common/UIxObjectActions.m
+++ b/UI/Common/UIxObjectActions.m
@ -30,8 +30,6 @@

 #import <SOGo/NSDictionary+Utilities.h>

-#import "WODirectAction+SOGo.h"
-
 #import "UIxObjectActions.h"

@implementation UIxObjectActions
--- a/UI/Common/UIxParentFolderActions.h
+++ b/UI/Common/UIxParentFolderActions.h
@ -1,8 +1,6 @@
 /* UIxParentFolderActions.h - this file is part of SOGo
 *
- * Copyright (C) 2007 Inverse inc.
- *
- * Author: Wolfgang Sourdeau <wsourdeau@inverse.ca>
+ * Copyright (C) 2007-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -23,8 +21,9 @@
 #ifndef UIXPARENTFOLDERACTIONS_H
 #define UIXPARENTFOLDERACTIONS_H

+#include "SOGoDirectAction.h"

-@interface UIxParentFolderActions : WODirectAction
+@interface UIxParentFolderActions : SOGoDirectAction
@end

 #endif /* UIXPARENTFOLDERACTIONS_H */
--- a/UI/Common/UIxParentFolderActions.m
+++ b/UI/Common/UIxParentFolderActions.m
@ -1,6 +1,6 @@
 /* UIxParentFolderActions.m - this file is part of SOGo
 *
- * Copyright (C) 2007-2015 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -29,8 +29,6 @@
 #import <SOGo/NSDictionary+Utilities.h>
 #import <SOGo/NSString+Utilities.h>

-#import <UI/Common/WODirectAction+SOGo.h>
-
 #import "UIxParentFolderActions.h"

@implementation UIxParentFolderActions
--- a/UI/Contacts/UIxContactActions.m
+++ b/UI/Contacts/UIxContactActions.m
@ -1,8 +1,6 @@
 /* UIxContactActions.m - this file is part of SOGo
 *
- * Copyright (C) 2010 Inverse inc.
- *
- * Author: Wolfgang Sourdeau <wsourdeau@inverse.ca>
+ * Copyright (C) 2010-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -30,7 +28,7 @@

 #import <Contacts/SOGoContactGCSEntry.h>

-#import <Common/WODirectAction+SOGo.h>
+#import <Common/SOGoDirectAction.h>

@interface NGVCard (SOGoActionCategory)

@ -80,7 +78,7 @@

@end

-@interface UIxContactActions : WODirectAction
+@interface UIxContactActions : SOGoDirectAction

 - (WOResponse *) setCategoryAction;
 - (WOResponse *) unsetCategoryAction;
--- a/UI/Contacts/UIxContactsListActions.h
+++ b/UI/Contacts/UIxContactsListActions.h
@ -1,20 +1,20 @@
 /*
- Copyright (C) 2004-2005 SKYRIX Software AG
+  Copyright (C) 2006-2016 Inverse inc.

- This file is part of OpenGroupware.org.
+  This file is part of SOGo.

- OGo is free software; you can redistribute it and/or modify it under
+  SOGo is free software; you can redistribute it and/or modify it under
  the terms of the GNU Lesser General Public License as published by the
  Free Software Foundation; either version 2, or (at your option) any
  later version.

- OGo is distributed in the hope that it will be useful, but WITHOUT ANY
+  SOGo is distributed in the hope that it will be useful, but WITHOUT ANY
  WARRANTY; without even the implied warranty of MERCHANTABILITY or
  FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
  License for more details.

  You should have received a copy of the GNU Lesser General Public
- License along with OGo; see the file COPYING.  If not, write to the
+  License along with SOGo; see the file COPYING.  If not, write to the
  Free Software Foundation, 59 Temple Place - Suite 330, Boston, MA
  02111-1307, USA.
 */
@ -22,13 +22,14 @@
 #ifndef __UIxContactsListActions_H__
 #define __UIxContactsListActions_H__

+#import <Common/SOGoDirectAction.h>

@class NSDictionary;
@class NSString;

@protocol SOGoContactObject;

-@interface UIxContactsListActions : WODirectAction
+@interface UIxContactsListActions : SOGoDirectAction
 {
  NSDictionary *currentContact;

--- a/UI/Contacts/UIxContactsListActions.m
+++ b/UI/Contacts/UIxContactsListActions.m
@ -37,9 +37,6 @@
 #import <EOControl/EOQualifier.h>
 #import <EOControl/EOSortOrdering.h>

-#import <Common/WODirectAction+SOGo.h>
-
-
 #import <SOGo/SOGoUser.h>
 #import <SOGo/SOGoUserSettings.h>

--- a/UI/MailPartViewers/UIxMailPartICalActions.h
+++ b/UI/MailPartViewers/UIxMailPartICalActions.h
@ -1,8 +1,6 @@
 /* UIxMailPartICalActions.h - this file is part of SOGo
 *
- * Copyright (C) 2007 Inverse inc.
- *
- * Author: Wolfgang Sourdeau <wsourdeau@inverse.ca>
+ * Copyright (C) 2007-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -23,12 +21,13 @@
 #ifndef UIXMAILPARTICALACTIONS_H
 #define UIXMAILPARTICALACTIONS_H

-
@class iCalCalendar;
@class SOGoMailBodyPart;
@class WOResponse;

-@interface UIxMailPartICalActions : WODirectAction
+#import <UI/Common/SOGoDirectAction.h>
+
+@interface UIxMailPartICalActions : SOGoDirectAction

 - (WOResponse *) acceptAction;
 - (WOResponse *) declineAction;
--- a/UI/MailPartViewers/UIxMailPartICalActions.m
+++ b/UI/MailPartViewers/UIxMailPartICalActions.m
@ -1,6 +1,6 @@
 /* UIxMailPartICalActions.m - this file is part of SOGo
 *
- * Copyright (C) 2007-2015 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -32,8 +32,6 @@

 #import <NGCards/iCalCalendar.h>

-#import <UI/Common/WODirectAction+SOGo.h>
-
 #import <NGImap4/NGImap4EnvelopeAddress.h>

 #import <Appointments/iCalEvent+SOGo.h>
@ -239,7 +237,6 @@
  WOResponse *response;
  SOGoAppointmentObject *eventObject;
  iCalEvent *chosenEvent;
-  //NSException *ex;

  chosenEvent = [self _setupChosenEventAndEventObject: &eventObject];
  if (chosenEvent)
--- a/UI/MailerUI/UIxMailAccountActions.h
+++ b/UI/MailerUI/UIxMailAccountActions.h
@ -1,6 +1,6 @@
 /* UIxMailAccountActions.h - this file is part of SOGo
 *
- * Copyright (C) 2007-2013 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -21,10 +21,11 @@
 #ifndef UIXMAILACCOUNTACTIONS_H
 #define UIXMAILACCOUNTACTIONS_H

+#import <UI/Common/SOGoDirectAction.h>

@class WOResponse;

-@interface UIxMailAccountActions : WODirectAction
+@interface UIxMailAccountActions : SOGoDirectAction
 {
 }

--- a/UI/MailerUI/UIxMailAccountActions.m
+++ b/UI/MailerUI/UIxMailAccountActions.m
@ -1,6 +1,6 @@
 /* UIxMailAccountActions.m - this file is part of SOGo
 *
- * Copyright (C) 2007-2014 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -34,8 +34,6 @@
 #import <SOGo/SOGoDomainDefaults.h>
 #import <SOGo/SOGoUser.h>

-#import "../Common/WODirectAction+SOGo.h"
-
 #import "UIxMailAccountActions.h"

@implementation UIxMailAccountActions
--- a/UI/MailerUI/UIxMailActions.h
+++ b/UI/MailerUI/UIxMailActions.h
@ -1,6 +1,6 @@
 /* UIxMailActions.h - this file is part of SOGo
 *
- * Copyright (C) 2007-2013 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -21,8 +21,9 @@
 #ifndef UIXMAILACTIONS_H
 #define UIXMAILACTIONS_H

+#import <UI/Common/SOGoDirectAction.h>

-@interface UIxMailActions : WODirectAction
+@interface UIxMailActions : SOGoDirectAction
@end

 #endif /* UIXMAILACTIONS_H */
--- a/UI/MailerUI/UIxMailActions.m
+++ b/UI/MailerUI/UIxMailActions.m
@ -37,8 +37,6 @@
 #import <SoObjects/SOGo/SOGoUserSettings.h>
 #import <SoObjects/SOGo/SOGoUserDefaults.h>

-#import "../Common/WODirectAction+SOGo.h"
-
 #import "UIxMailActions.h"

@implementation UIxMailActions
--- a/UI/MailerUI/UIxMailFolderActions.h
+++ b/UI/MailerUI/UIxMailFolderActions.h
@ -21,10 +21,11 @@
 #ifndef UIXMAILFOLDERACTIONS_H
 #define UIXMAILFOLDERACTIONS_H

+#import <UI/Common/SOGoDirectAction.h>

@class WOResponse;

-@interface UIxMailFolderActions : WODirectAction
+@interface UIxMailFolderActions : SOGoDirectAction

 - (id <WOActionResults>) createFolderAction;
 - (WOResponse *) renameFolderAction;
--- a/UI/MailerUI/UIxMailFolderActions.m
+++ b/UI/MailerUI/UIxMailFolderActions.m
@ -38,8 +38,6 @@
 #import <SOGo/SOGoUser.h>
 #import <SOGo/SOGoUserSettings.h>

-#import <UI/Common/WODirectAction+SOGo.h>
-
 #import "UIxMailFolderActions.h"

@implementation UIxMailFolderActions
@ -225,7 +223,6 @@
  SOGoUserSettings *us;
  WOResponse *response;
  NSException *error;
-
  BOOL moved;

  co = [self clientObject];
--- a/UI/MailerUI/UIxMailListActions.h
+++ b/UI/MailerUI/UIxMailListActions.h
@ -1,6 +1,5 @@
 /*
-  Copyright (C) 2004-2005 SKYRIX Software AG
-  Copyright (C) 2004-2014 Inverse inc
+  Copyright (C) 2004-2016 Inverse inc

  This file is part of SOGo.

@ -23,13 +22,14 @@
 #ifndef UIXMAILLISTACTIONS_H
 #define UIXMAILLISTACTIONS_H

-
@class NSDictionary;
@class EOQualifier;
@class SOGoDateFormatter;
@class UIxMailSizeFormatter;

-@interface UIxMailListActions : WODirectAction
+#import <UI/Common/SOGoDirectAction.h>
+
+@interface UIxMailListActions : SOGoDirectAction
 {
  NSArray *sortedUIDs; /* we always need to retrieve all anyway! */
  NSArray *messages;
--- a/UI/MailerUI/UIxMailListActions.m
+++ b/UI/MailerUI/UIxMailListActions.m
@ -58,7 +58,6 @@
 #import <SOGo/SOGoUserSettings.h>
 #import <SOGo/WOResourceManager+SOGo.h>

-#import <UI/Common/WODirectAction+SOGo.h>
 #import <UI/MailPartViewers/UIxMailSizeFormatter.h>

 #import "WOContext+UIxMailer.h"
--- a/UI/MailerUI/UIxMailSourceView.h
+++ b/UI/MailerUI/UIxMailSourceView.h
@ -1,6 +1,6 @@
 /* UIxMailSourceView.h - this file is part of SOGo
 *
- * Copyright (C) 2007-2015 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -21,8 +21,9 @@
 #ifndef UIXMAILSOURCEVIEW_H
 #define UIXMAILSOURCEVIEW_H

+#import <UI/Common/SOGoDirectAction.h>

-@interface UIxMailSourceView : WODirectAction
+@interface UIxMailSourceView : SOGoDirectAction

@end

--- a/UI/MailerUI/UIxMailSourceView.m
+++ b/UI/MailerUI/UIxMailSourceView.m
@ -1,6 +1,6 @@
 /* UIxMailSourceView.m - this file is part of SOGo
 *
- * Copyright (C) 2007-2015 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -23,8 +23,6 @@

 #import <SoObjects/Mailer/SOGoMailObject.h>

-#import <UI/Common/WODirectAction+SOGo.h>
-
 #import "UIxMailSourceView.h"

@implementation UIxMailSourceView
--- a/UI/MainUI/SOGoMicrosoftActiveSyncActions.m
+++ b/UI/MainUI/SOGoMicrosoftActiveSyncActions.m
@ -1,5 +1,5 @@
 /*
-  Copyright (C) 2014 Inverse inc. 
+  Copyright (C) 2014-2016 Inverse inc.

  This file is part of SOGo.

@ -23,10 +23,11 @@
 #import <SOGo/SOGoCache.h>
 #import <SOGo/NSObject+Utilities.h>

-#import <NGObjWeb/NSException+HTTP.h>
 #import <NGObjWeb/WOContext.h>
+#import <NGObjWeb/WODirectAction.h>
+#import <NGObjWeb/NSException+HTTP.h>
+#import <NGObjWeb/WOResponse.h>

-#import <Common/WODirectAction+SOGo.h>
 #import <ActiveSync/SOGoActiveSyncDispatcher.h>

@interface SOGoMicrosoftActiveSyncActions : WODirectAction
@ -47,7 +48,9 @@
  Class clazz;

  request = (WORequest *)[context request];
-  response = [self responseWithStatus: 200];
+  response = [context response];
+  [response setStatus: 200];
+  [response setHeader: @"text/plain; charset=utf-8"  forKey: @"content-type"];

  bundle = [NSBundle bundleForClass: NSClassFromString(@"ActiveSyncProduct")];
  clazz = [bundle classNamed: @"SOGoActiveSyncDispatcher"];
--- a/UI/MainUI/SOGoRootPage.m
+++ b/UI/MainUI/SOGoRootPage.m
@ -36,6 +36,7 @@

 #import <Appointments/SOGoAppointmentFolders.h>

+#import <SOGo/NSString+Crypto.h>
 #import <SOGo/NSString+Utilities.h>
 #import <SOGo/SOGoBuild.h>
 #import <SOGo/SOGoCache.h>
@ -170,14 +171,14 @@
 {
  WOResponse *response;
  WORequest *request;
-  WOCookie *authCookie;
+  WOCookie *authCookie, *xsrfCookie;
  SOGoWebAuthenticator *auth;
  SOGoAppointmentFolders *calendars;
  SOGoUserDefaults *ud;
  SOGoUser *loggedInUser;
  NSDictionary *params;
  NSString *username, *password, *language, *domain, *remoteHost;
-  NSArray *supportedLanguages;
+  NSArray *supportedLanguages, *creds;
  
  SOGoPasswordPolicyError err;
  int expire, grace;
@ -232,6 +233,13 @@
                                  inContext: context];
      [response addCookie: authCookie];

+      // We prepare the XSRF protection cookie
+      creds = [auth parseCredentials: [authCookie value]];
+      xsrfCookie = [WOCookie cookieWithName: @"XSRF-TOKEN"
+                                      value: [[SOGoSession valueForSessionKey: [creds lastObject]] asSHA1String]];
+      [xsrfCookie setPath: [NSString stringWithFormat: @"/%@/", [[context request] applicationName]]];
+      [response addCookie: xsrfCookie];
+
      supportedLanguages = [[SOGoSystemDefaults sharedSystemDefaults]
                             supportedLanguages];
      loggedInUser = [SOGoUser userWithLogin: username];
@ -540,8 +548,8 @@
 - (WOResponse *) changePasswordAction
 {
  NSString *username, *domain, *password, *newPassword, *value;
+  WOCookie *authCookie, *xsrfCookie;
  NSDictionary *message;
-  WOCookie *authCookie;
  NSArray *creds;
  SOGoUserManager *um;
  SOGoPasswordPolicyError error;
@ -592,6 +600,12 @@
                                andPassword: newPassword
                                  inContext: context];
      [response addCookie: authCookie];
+
+      // We update the XSRF protection cookie
+      creds = [auth parseCredentials: [authCookie value]];
+      xsrfCookie = [WOCookie cookieWithName: @"XSRF-TOKEN"
+                                      value: [[SOGoSession valueForSessionKey: [creds lastObject]] asSHA1String]];
+      [response addCookie: xsrfCookie];
    }
  else
    response = [self _responseWithLDAPPolicyError: error];
--- a/UI/MainUI/SOGoUserHomePage.m
+++ b/UI/MainUI/SOGoUserHomePage.m
@ -455,8 +455,8 @@

 - (id <WOActionResults>) logoffAction
 {
-  SOGoWebAuthenticator *auth;
  NSString *userName, *value;
+  SOGoWebAuthenticator *auth;
  WOResponse *response;
  NSCalendarDate *date;
  WOCookie *cookie;
@ -486,6 +486,12 @@
  if (cookie)
    [response addCookie: cookie];

+  // We remove the XSRF cookie
+  cookie = [WOCookie cookieWithName: @"XSRF-TOKEN"  value: @"discard"];
+  [cookie setPath: [NSString stringWithFormat: @"/%@/", [[context request] applicationName]]];
+  [cookie setExpires: [date yesterday]];
+  [response addCookie: cookie];
+
  [response setHeader: [date rfc822DateString] forKey: @"Last-Modified"];
  [response setHeader: @"no-store, no-cache, must-revalidate,"
            @" max-age=0, post-check=0, pre-check=0"
--- a/UI/PreferencesUI/UIxJSONPreferences.h
+++ b/UI/PreferencesUI/UIxJSONPreferences.h
@ -1,6 +1,6 @@
 /* UIxJSONPreferences.h - this file is part of SOGo
 *
- * Copyright (C) 2007-2015 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -21,8 +21,9 @@
 #ifndef UIXJSONPREFERENCES_H
 #define UIXJSONPREFERENCES_H

+#import <UI/Common/SOGoDirectAction.h>

-@interface UIxJSONPreferences : WODirectAction
+@interface UIxJSONPreferences : SOGoDirectAction

@end

--- a/UI/PreferencesUI/UIxJSONPreferences.m
+++ b/UI/PreferencesUI/UIxJSONPreferences.m
@ -35,8 +35,6 @@
 #import <SOGo/WOResourceManager+SOGo.h>
 #import <Mailer/SOGoMailLabel.h>

-#import <UI/Common/WODirectAction+SOGo.h>
-
 #import "UIxJSONPreferences.h"

 static SoProduct *preferencesProduct = nil;
--- a/UI/SOGoUI/UIxComponent.m
+++ b/UI/SOGoUI/UIxComponent.m
@ -34,11 +34,14 @@
 #import <SOGo/NSCalendarDate+SOGo.h>
 #import <SOGo/NSDictionary+Utilities.h>
 #import <SOGo/NSObject+Utilities.h>
+#import <SOGo/NSString+Crypto.h>
 #import <SOGo/NSString+Utilities.h>
 #import <SOGo/SOGoBuild.h>
+#import <SOGo/SOGoSession.h>
 #import <SOGo/SOGoSystemDefaults.h>
 #import <SOGo/SOGoUser.h>
 #import <SOGo/SOGoUserFolder.h>
+#import <SOGo/SOGoWebAuthenticator.h>
 #import <SOGo/WOContext+SOGo.h>
 #import <SOGo/WOResourceManager+SOGo.h>

@ -763,4 +766,42 @@ static SoProduct      *commonProduct      = nil;
  return [sd uixDebugEnabled];
 }

+//
+// Protection against XSRF
+//
+- (id<WOActionResults>)performActionNamed:(NSString *)_actionName
+{
+  SOGoWebAuthenticator *auth;
+  NSString *value, *token;
+  NSArray *creds;
+
+  if (![[SOGoSystemDefaults sharedSystemDefaults] xsrfValidationEnabled])
+    return [super performActionNamed: _actionName];
+
+  // If the action is 'connect' (or 'logoff'), we let it go as the token
+  // needs to be created (or destroyed) during the session initialization
+  if ([_actionName isEqualToString: @"connect"] ||
+      [_actionName isEqualToString: @"logoff"])
+    {
+      return [super performActionNamed: _actionName];
+    }
+
+  // We grab the X-XSRF-TOKEN header
+  token = [[context request] headerForKey: @"X-XSRF-TOKEN"];
+
+  // We compare it with our session key
+  auth = [[WOApplication application]
+           authenticatorInContext: context];
+  value = [[context request]
+           cookieValueForKey: [auth cookieNameInContext: context]];
+  creds = [auth parseCredentials: value];
+
+  value = [SOGoSession valueForSessionKey: [creds lastObject]];
+
+  if ([token isEqualToString: [value asSHA1String]])
+    return [super performActionNamed: _actionName];
+
+  return nil;
+}
+
@end /* UIxComponent */
--- a/UI/Scheduler/UIxAppointmentActions.h
+++ b/UI/Scheduler/UIxAppointmentActions.h
@ -21,8 +21,9 @@
 #ifndef UIXAPPOINTMENTACTIONS_H
 #define UIXAPPOINTMENTACTIONS_H

+#import <Common/SOGoDirectAction.h>

-@interface UIxAppointmentActions : WODirectAction
+@interface UIxAppointmentActions : SOGoDirectAction

@end

--- a/UI/Scheduler/UIxAppointmentActions.m
+++ b/UI/Scheduler/UIxAppointmentActions.m
@ -40,8 +40,6 @@
 #import <Appointments/SOGoAppointmentFolder.h>
 #import <Appointments/SOGoAppointmentFolders.h>

-#import <Common/WODirectAction+SOGo.h>
-
 #import "UIxAppointmentActions.h"

@implementation UIxAppointmentActions
--- a/UI/Scheduler/UIxCalListingActions.h
+++ b/UI/Scheduler/UIxCalListingActions.h
@ -1,6 +1,6 @@
 /* UIxCalListingActions.h - this file is part of SOGo
 *
- * Copyright (C) 2006-2015 Inverse inc.
+ * Copyright (C) 2006-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -21,7 +21,7 @@
 #ifndef UIXCALLISTINGACTIONVIEW_H
 #define UIXCALLISTINGACTIONVIEW_H

-#import <Common/WODirectAction+SOGo.h>
+#import <Common/SOGoDirectAction.h>

@class NSCalendarDate;
@class NSMutableDictionary;
@ -33,7 +33,7 @@
@class WOResponse;
@class WORequest;

-@interface UIxCalListingActions : WODirectAction
+@interface UIxCalListingActions : SOGoDirectAction
 {
  NSMutableDictionary *componentsData;
  NSCalendarDate *startDate;
--- a/UI/Scheduler/UIxCalListingActions.m
+++ b/UI/Scheduler/UIxCalListingActions.m
@ -47,8 +47,6 @@
 #import <Appointments/SOGoAppointmentFolders.h>
 #import <Appointments/SOGoWebAppointmentFolder.h>

-#import <UI/Common/WODirectAction+SOGo.h>
-
 #import "NSArray+Scheduler.h"

 #import "UIxCalListingActions.h"
@ -1573,7 +1571,6 @@ _computeBlocksPosition (NSArray *blocks)
  SOGoAppointmentFolder *folder;
  SOGoAppointmentFolders *co;
  NSArray *folders;
-  
  int i;

  co = [self clientObject];
--- a/UI/Scheduler/UIxCalMainActions.h
+++ b/UI/Scheduler/UIxCalMainActions.h
@ -1,6 +1,6 @@
 /* UIxCalMainActions.h - this file is part of SOGo
 *
- * Copyright (C) 2009-2013 Inverse inc.
+ * Copyright (C) 2009-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -21,9 +21,9 @@
 #ifndef UIXCALMAINACTIONS_H
 #define UIXCALMAINACTIONS_H

-#import <Common/WODirectAction+SOGo.h>
+#import <Common/SOGoDirectAction.h>

-@interface UIxCalMainActions : WODirectAction
+@interface UIxCalMainActions : SOGoDirectAction

@end

--- a/UI/Scheduler/UIxCalMainActions.m
+++ b/UI/Scheduler/UIxCalMainActions.m
@ -1,6 +1,6 @@
 /* UIxCalMainActions.m - this file is part of SOGo
 *
- * Copyright (C) 2009-2015 Inverse inc.
+ * Copyright (C) 2009-2016 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
--- a/UI/WebServerResources/js/Common/Authentication.service.js
+++ b/UI/WebServerResources/js/Common/Authentication.service.js
@ -151,11 +151,17 @@

        changePassword: function(newPassword) {
          var d = $q.defer(),
-              loginCookie = readLoginCookie();
+              loginCookie = readLoginCookie(),
+              xsrfCookie = $cookies.get('XSRF-TOKEN');
+
+          $cookies.remove('XSRF-TOKEN', {path: '/SOGo/'});

          $http({
            method: 'POST',
            url: '/SOGo/so/changePassword',
+            headers: {
+              'X-XSRF-TOKEN' : xsrfCookie
+            },
            data: {
              userName: loginCookie[0],
              password: loginCookie[1],
@ -186,6 +192,8 @@
              perr = passwordPolicyConfig.PolicyPasswordUnknown;
            }

+            // Restore the cookie
+            $cookies.put('XSRF-TOKEN', xsrfCookie, {path: '/SOGo/'});
            d.reject(error);
          });
          return d.promise;