From: Maria Odea B. Ching <oching@apache.org>
Date: Wed, 24 Nov 2010 08:16:46 +0000 (+0000)
Subject: [MRM-1438] [CVE-2010-3449]
X-Git-Tag: archiva-1.3.2~5
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=71d0bb56b1d80ee605420772adb5acb71335ef43;p=archiva.git

[MRM-1438] [CVE-2010-3449]
o update to Redback 1.2.4 issue is fixed
o enable referrer check by default for security interceptor


git-svn-id: https://svn.apache.org/repos/asf/archiva/branches/archiva-1.3.x@1038518 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
index 138843335..1760450a5 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
@@ -41,7 +41,9 @@
         <interceptor-ref name="paramFilter">
           <param name="blocked">externalResult</param>
         </interceptor-ref>
-        <interceptor-ref name="redbackSecureActions"/>
+        <interceptor-ref name="redbackSecureActions">
+          <param name="enableReferrerCheck">true</param>
+        </interceptor-ref>
         <interceptor-ref name="redbackPolicyEnforcement"/>
         <interceptor-ref name="configuration"/>
         <interceptor-ref name="validation">
@@ -57,7 +59,9 @@
         <interceptor-ref name="redbackAutoLogin"/>
         <interceptor-ref name="defaultStack"/>
         <interceptor-ref name="redbackPolicyEnforcement"/>
-        <interceptor-ref name="redbackSecureActions"/>
+        <interceptor-ref name="redbackSecureActions">
+          <param name="enableReferrerCheck">true</param>
+        </interceptor-ref>
         <interceptor-ref name="validation">
           <param name="excludeMethods">input,back,cancel,browse</param>
         </interceptor-ref>
diff --git a/pom.xml b/pom.xml
index 2203e00fb..38ec5aef7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1102,7 +1102,7 @@
   <properties>
     <maven.version>2.0.8</maven.version>
     <wagon.version>1.0-beta-5</wagon.version>
-    <redback.version>1.3-SNAPSHOT</redback.version>
+    <redback.version>1.2.4</redback.version>
     <jetty.version>6.1.19</jetty.version>
     <slf4j.version>1.5.8</slf4j.version>
     <binder.version>0.9</binder.version>