Index: lams_build/lib/csrfguard/csrf.module.xml =================================================================== diff -u -rf93389330412991fbdffdee69d9e8990efdb7cf8 -r3582a26f019d77b921db0379ca2516dd51860bde --- lams_build/lib/csrfguard/csrf.module.xml (.../csrf.module.xml) (revision f93389330412991fbdffdee69d9e8990efdb7cf8) +++ lams_build/lib/csrfguard/csrf.module.xml (.../csrf.module.xml) (revision 3582a26f019d77b921db0379ca2516dd51860bde) @@ -24,11 +24,15 @@ - + + + + + \ No newline at end of file Index: lams_build/lib/csrfguard/csrfguard-3.1.0-custom-2020.01.07.jar =================================================================== diff -u -rf93389330412991fbdffdee69d9e8990efdb7cf8 -r3582a26f019d77b921db0379ca2516dd51860bde Binary files differ Index: lams_build/lib/csrfguard/csrfguard-4.1.3.jar =================================================================== diff -u Binary files differ Index: lams_build/lib/csrfguard/csrfguard-extension-session-4.1.3.jar =================================================================== diff -u Binary files differ Index: lams_build/lib/csrfguard/csrfguard-jsp-tags-4.1.3.jar =================================================================== diff -u Binary files differ Index: lams_build/liblist.txt =================================================================== diff -u -rfe4d029603238bbb734237cd5c7ca87fd062cfa5 -r3582a26f019d77b921db0379ca2516dd51860bde --- lams_build/liblist.txt (.../liblist.txt) (revision fe4d029603238bbb734237cd5c7ca87fd062cfa5) +++ lams_build/liblist.txt (.../liblist.txt) (revision 3582a26f019d77b921db0379ca2516dd51860bde) @@ -24,8 +24,7 @@ clamav-client clamav-client-2.0.2.jar 2.0.2 MIT cdarras on GitHub ClamAV antivirus client -csrfguard csrfguard-3.1.0-custom-2020.01.07.jar custom build BSD License OWASP prevents CSRF attacks - based on 3.1.0 master from 2020.01.07 with a custom modification in CsrfGuard.java +csrfguard csrfguard-4.1.3.jar 4.1.3 BSD License OWASP prevents CSRF attacks etherpad etherpad_lite_client-1.2.13.jar 1.2.13 Apache License 2.0 Nils Fredrik Gjerull Client for Etherpad Index: lams_central/conf/security/Owasp.CsrfGuard.properties =================================================================== diff -u -r804dca72fa2ac638a9d3e2e66054d82688951c31 -r3582a26f019d77b921db0379ca2516dd51860bde --- lams_central/conf/security/Owasp.CsrfGuard.properties (.../Owasp.CsrfGuard.properties) (revision 804dca72fa2ac638a9d3e2e66054d82688951c31) +++ lams_central/conf/security/Owasp.CsrfGuard.properties (.../Owasp.CsrfGuard.properties) (revision 3582a26f019d77b921db0379ca2516dd51860bde) @@ -1,8 +1,12 @@ # Only check POST forms. If we need to, we can add GET and other HTTP methods org.owasp.csrfguard.ProtectedMethods=POST -# By default do not check anything. ignoreAll is the same as filter coverage in web.xml -org.owasp.csrfguard.unprotected.ignoreAll=*.do +# Do not check anything except for pages which are explicitly marked as protected +org.owasp.csrfguard.Protect = true + +# Mandatory field for stateful applications like LAMS +org.owasp.csrfguard.LogicalSessionExtractor = org.owasp.csrfguard.session.SessionTokenKeyExtractor + # List of actions to check # Each key goes into a separate line prefixed with org.owasp.csrfguard.protected. # A key suffix must not contain a dot "." character