Details
-
Bug
-
Resolution: Fixed
-
Highest
-
None
-
6.4
-
Description
The BuildEdgeIndexServlet is responsible for rebuilding the edge index. As this is a servlet and not a Webwork action, XSRF checks must be implemented programmatically. The Servlet does not currently implement any XSRF token checks, meaning the edge index can be forced to be rebuilt when attacked.
The information at https://developer.atlassian.com/display/CONFDEV/Form+Token+Handling should be used to programmatically check the doPost method for the required token.
BuildEdgeIndexServlet.java
public class BuildEdgeIndexServlet extends HttpServlet { ... protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { if (!permissionManager.hasPermission(AuthenticatedUserThreadLocal.getUser(), Permission.ADMINISTER, PermissionManager.TARGET_APPLICATION)) resp.sendError(403, "Insufficient privileges."); try { edgeIndexBuilder.build(2); } catch (Exception e) { resp.sendError(500, "Error rebuilding edge index: " + e.getMessage()); } resp.getWriter().append("Build index completed successfully"); }
