Using a context path can break XSRF Check

XMLWordPrintable

    • Severity 3 - Minor
    • 28

      Issue Summary

      When accessing Fecru through a context path <base_url>/context, XSRF checks when performing oauth dance with application links fail.

      Steps to Reproduce

      1. Setup Jira (latest version)
      2. Setup Fisheye 4.8.15 with a context path
      3. Create an application link
      4. Attempt to authenticate
      5. Click "Allow"

      Expected Results

      The Oauth token is created and application link features are accessible to the user

      Actual Results

      The popup changes into

      XSRF Validation Failed

      Workaround

      Reconfigure network routing and Fisheye to not use a web context.
      or
      Use the following Byteman script to whitelist the jira base url:

      RULE url-whitelist
CLASS com.atlassian.sal.fisheye.xsrf.FisheyeXsrfTokenAccessor
METHOD foundValidCsrfEntry
AT ENTRY
BIND
 # <base_url> -> replace with jira domain for the client eg. https://my.jira.com:8080
IF TRUE
DO
 return $3.startsWith("<base_url>") || $1.urlMatches($2) && $1.referrerMatches($3) && $1.tokenMatches($4);
ENDRULE

        1. screenshot-1.png
          88 kB
          Aaron

            Assignee:
            Oleksii Barandii (Inactive)
            Reporter:
            Aaron
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - Not Specified
                Not Specified
                Logged:
                Time Spent - 0.15h
                0.15h