Releases: OWASP/www-project-csrfguard
Releases · OWASP/www-project-csrfguard
4.1.2
What's Changed
- csrfguard.js: made compatible with IE11 + console.debug(...) commented by @stefano-1973 in #37
- Fix time comparison when checking pageToken time tolerance (fix #49) by @bpapez in #50
- Set up CI for running tests and generating a deployable version of the test application by @forgedhallpass in #53
- Fixed NewTokenLandingPage functionality by @forgedhallpass in 74008a2
- JavaDoc updates by @forgedhallpass in a1cf527
- Added OWASP Dependency Check GitHub action via Maven execution by @forgedhallpass in ce1622c
- JSTL dependency change by @forgedhallpass in 4bb4343
- Update GSON version due to reported CVE by @forgedhallpass in 7c8c178
- Added Snyk vulnerability scanning GitHub action by @forgedhallpass in 8379857
- Explicit dependabot configuration by @forgedhallpass in 1665f25
Version bumps
- Bump mockito.version from 3.6.0 to 4.3.1 by @dependabot in #63
- Bump maven-release-plugin from 3.0.0-M1 to 3.0.0-M5 by @dependabot in #62
- Bump maven-compiler-plugin from 3.8.1 to 3.10.0 by @dependabot in #61
- Bump nexus-staging-maven-plugin from 1.6.8 to 1.6.11 by @dependabot in #60
- Bump logback-classic from 1.2.4 to 1.2.10 by @dependabot in #59
- Bump slf4j-api from 1.7.31 to 1.7.36 by @dependabot in #67
- Bump maven-deploy-plugin from 3.0.0-M1 to 3.0.0-M2 by @dependabot in #66
- Bump maven-javadoc-plugin from 3.2.0 to 3.3.2 by @dependabot in #68
- Bump tomcat7-maven-plugin from 2.1 to 2.2 by @dependabot in #65
- Bump jsp-api from 2.1 to 2.2 by @dependabot in #64
- Bump junit.version from 5.7.0 to 5.8.2 by @dependabot in #70
- Bump commons-io from 2.8.0 to 2.11.0 by @dependabot in #71
- Bump maven-jar-plugin from 3.2.0 to 3.2.2 by @dependabot in #72
- Bump maven-scm-plugin from 1.11.2 to 1.12.2 by @dependabot in #69
New Contributors
- @stefano-1973 made their first contribution in #37
- @bpapez made their first contribution in #50
Full Changelog: 4.1.1...4.1.2
Contributors
bpapez, forgedhallpass, and 2 other contributors
Assets 2
4.1.1
What's Changed
- Replace the logging logic with SLF4J #30 by @Matthajus in #33
- BugFix (security): do not serve the JS logic, if the
Refererheader does not match the configured value by @forgedhallpass in 894892c - Documentation updates by @forgedhallpass
- GPG error fix required for releasing by @forgedhallpass in e706907
New Contributors
- @Matthajus made their first contribution in #33
Full Changelog: 4.0.1...4.1.1
Contributors
forgedhallpass and Matthajus
Assets 13
v4.1.0
What's Changed
- Replace the logging logic with SLF4J #30 by @Matthajus in #33
- BugFix (security): do not serve the JS logic, if the
Refererheader does not match the configured value by @forgedhallpass in 894892c - Documentation updates by @forgedhallpass
- Misc changes by @forgedhallpass
New Contributors
- @Matthajus made their first contribution in #33
Full Changelog: 4.0.1...4.1.0
Contributors
forgedhallpass and Matthajus
Assets 2
v4.0.1
Bugfix release: Making sure that JSP tag logic is not invoked if CSRFGuard is disabled by configuration. Thanks to @alexhatz05
Contributors
alexhatz05
Assets 4
OWASP CSRFGuard 4.0.0
OWASP CSRFGuard 4.0.0
Building the code
- Make sure you have Apache Maven 3.0.4+ and JDK 1.8+ installed
- Clone this repository locally
- Build the project by running
mvn clean installin the project root directory - Build and run the test JSP web application by running
mvn pre-integration-test -Pdeploy-jsp-webapp -pl csrfguard-test/csrfguard-test-jspormvn -Pdeploy-jsp-webapp -pl csrfguard-test/csrfguard-test-jsp tomcat7:run - Optional: you can use
mvnDebugto enable remote debugging, then connect your IDE to it (default port is 8000) - Use a web browser to access
http://localhost:8080to open the home page of the test project
Using with Maven
OWASP CSRFGuard 4.0.0 is available on the Maven Central repository. Add the following dependencies to your Maven POM file to use the library:
<dependency>
<groupId>org.owasp</groupId>
<artifactId>csrfguard</artifactId>
<version>4.0.0</version>
</dependency>
<!-- Stateful web application support -->
<dependency>
<groupId>org.owasp</groupId>
<artifactId>csrfguard-extension-session</artifactId>
<version>4.0.0</version>
</dependency>
<!-- JSP TAG support -->
<dependency>
<groupId>org.owasp</groupId>
<artifactId>csrfguard-jsp-tags</artifactId>
<version>4.0.0</version>
</dependency>Release Notes:
- Support for stateless web applications
- Apply "TokenPerPage" approach to AJAX
- Reduced code duplication
- Proper multi-module maven project structure
- The test JSP web application now relies on the latest development JavaScript code
- Improved code quality
- Addressing synchronous XMLHttpRequest deprecation
- Approach changed for master and page token retrieval
- Improved test coverage
- Better solution for looking up page tokens in the JS
- The javascript template is now parsable and minifiable
- Short-circuit the solution logic if CSRFGuard is disabled
- Do not generate page tokens for pages that are not protected
- Page tokens generated on first use are not sent back to the client
- Issue with the token-per-page support for REST endpoint containing path parameters
- Possible race condition on first access of endpoints when token-per-page and AJAX request options are enabled
- Tokens are not injected into dynamically created DOM elements
- Make the configuration more resilient to errors
- Tokens should not be injected into external links if the domainStrict property is set to true
- Tokens not injected in dynamic content returned from Ajax
- Heavily refactored, improved and more optimized code-base
- Documentation update and typo fixes.
- Copyright update and unification.
Created by @forgedhallpass
Contributors
forgedhallpass
Assets 12
OWASP CSRFGuard 4.0.0-RC1
OWASP CSRFGuard 4.0.0-RC1
Building the code
- Make sure you have Apache Maven 3.0.4+ and JDK 1.8+ installed
- Clone this repository locally
- Build the project by running
mvn clean installin the project root directory - Build and run the test JSP web application by running
mvn pre-integration-test -Pdeploy-jsp-webapp -pl csrfguard-test/csrfguard-test-jspormvn -Pdeploy-jsp-webapp -pl csrfguard-test/csrfguard-test-jsp tomcat7:run - Optional: you can use
mvnDebugto enable remote debugging, then connect your IDE to it (default port is 8000) - Use a web browser to access
http://localhost:8080to open the home page of the test project
Release notes:
- Support for stateless web applications
- Apply "TokenPerPage" approach to AJAX
- Reduced code duplication
- Proper multi-module maven project structure
- The test JSP web application now relies on the latest development JavaScript code
- Improved code quality
- Addressing synchronous XMLHttpRequest deprecation
- Approach changed for master and page token retrieval
- Improved test coverage
- Better solution for looking up page tokens in the JS
- The javascript template is now parsable and minifiable
- Short-circuit the solution logic if CSRFGuard is disabled
- Do not generate page tokens for pages that are not protected
- Page tokens generated on first use are not sent back to the client
- Issue with the token-per-page support for REST endpoint containing path parameters
- Possible race condition on first access of endpoints when token-per-page and AJAX request options are enabled
- Tokens are not injected into dynamically created DOM elements
- Make the configuration more resilient to errors
- Tokens should not be injected into external links if the domainStrict property is set to true
- Tokens not injected in dynamic content returned from Ajax
- Heavily refactored, improved and more optimized code-base
- Documentation update and typo fixes.
- Copyright update and unification.
Created by @forgedhallpass
Contributors
forgedhallpass
Assets 8
OWASP CSFRGuard 3.X (legacy)
OWASP CSRFGuard 3.1.0-SNAPSHOT (for historical reasons)
Building locally
- Make sure that you have Apache Maven 3.0.4 or higher and JDK 1.6 or higher installed;
- Clone this repository locally;
- Build the
csrfguardproject first ascd csrfguardfollowed bymvn clean install; - Build and run the
csrfguard-testproject ascd ../csrfguard-testfollowed bymvn clean package tomcat7:run; - Use a web browser to access http://localhost:8000 to open the home page of the test project.
OWASP CSRFGuard 3.1.0 Stable Release
Using with Maven
OWASP CSRFGuard 3.1.0 is available on the Maven Central repository. Add the following dependency to your Maven POM file to use the library:
<dependency>
<groupId>org.owasp</groupId>
<artifactId>csrfguard</artifactId>
<version>3.1.0</version>
</dependency>
Original release date: Jan 22 2015