This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit c5cb927124528c06e80fcb8096ab954684436f7e
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Tue Jul 7 19:02:15 2020 +0200
Documented: POC for CSRF Token (CVE-2019-0235) (OFBIZ-11306)
Clarifies the behaviour of csrf-token
Thanks: James Yong
---
framework/webapp/dtd/site-conf.xsd | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/framework/webapp/dtd/site-conf.xsd
b/framework/webapp/dtd/site-conf.xsd
index 01d0046..44d98a5 100644
--- a/framework/webapp/dtd/site-conf.xsd
+++ b/framework/webapp/dtd/site-conf.xsd
@@ -309,6 +309,14 @@ under the License.
<xs:annotation>
<xs:documentation>
If true csrf token is expected. If false no csrf token
check. Default to "".
+
+ When csrf-token is empty or not set, the behaviour should
be determined by
+ CsrfDefenseStrategy class (or another implementation of
ICsrfDefenseStrategy).
+
+ When csrf-token is explicitly set to either true or false,
+ CsrfDefenseStrategy class (or another implementation of
ICsrfDefenseStrategy)
+ should follow the setting.
+ So if true, csrf token is expected. If false, no csrf
token check.
</xs:documentation>
</xs:annotation>
<xs:simpleType>
