Remove wildcard usage in AuthCheckFilter
Description
Environment
None
Activity
Show:

Daniel Jackson May 17, 2023 at 11:03 AM
Wildcard for setup pages has been removed and ready to merge in with the patches for 4.6, 4.7 and main.

Daniel Jackson May 10, 2023 at 12:28 PM
Pushed up a new branch on the private fork named ‘OF-2595-authcheck-wildcard’ which we can merge into main, 4.7 and 4.6 when approved/reviewed. Ensured all the jsp’s under the setup path are still permitted and removed the wildcard. Exploit fails and setup still works.
jspf’s and pages with the suffix ‘_test’ are not included in the excludes. Does this need to be different in the test-web.xml? (tests pass with it being identical currently).
The implementation of
org.jivesoftware.admin.AuthCheckFilter#testURLPassesExclude
allows wildcard characters (*
) to be used to match URLs to an auth-exclusion pattern. An auth-exclusion pattern that includes such a wildcard character is hard-coded in Openfire'xmppserver/src/main/webapp/WEB-INF/web.xml
, in its 'AuthCheck' filter definition (note thesetup/setup-*
value):<filter> <filter-name>AuthCheck</filter-name> <filter-class>org.jivesoftware.admin.AuthCheckFilter</filter-class> <init-param> <param-name>excludes</param-name> <param-value> login.jsp,index.jsp?logout=true,setup/index.jsp,setup/setup-*,.gif,.png,error-serverdown.jsp,loginToken.jsp </param-value> </init-param> </filter>
Openfire should not have wildcards in the auth-exclusions. Investigate if it is possible to replace the wildcard entry with multiple entries, for each resource that the wildcard would cover (as the resources are all in
setup
, it likely is a finite set of resources).Test if Openfire's setup remains functional afterwards.
This change should go in branches
main
,4.7
and4.6
of the private temporary fork of Openfire that is used to address this vulnerability.