activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tab...@apache.org
Subject svn commit: r1418061 - /activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/handler/BindingBeanNameUrlHandlerMapping.java
Date Thu, 06 Dec 2012 20:37:05 GMT
Author: tabish
Date: Thu Dec  6 20:37:04 2012
New Revision: 1418061

URL: http://svn.apache.org/viewvc?rev=1418061&view=rev
Log:
fix for: https://issues.apache.org/jira/browse/AMQ-2740

Fix for NPE indicate possible CSRF attack instead.

Modified:
    activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/handler/BindingBeanNameUrlHandlerMapping.java

Modified: activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/handler/BindingBeanNameUrlHandlerMapping.java
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/handler/BindingBeanNameUrlHandlerMapping.java?rev=1418061&r1=1418060&r2=1418061&view=diff
==============================================================================
--- activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/handler/BindingBeanNameUrlHandlerMapping.java
(original)
+++ activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/handler/BindingBeanNameUrlHandlerMapping.java
Thu Dec  6 20:37:04 2012
@@ -17,7 +17,6 @@
 package org.apache.activemq.web.handler;
 
 import java.util.Arrays;
-import java.util.UUID;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -25,15 +24,16 @@ import org.apache.activemq.web.Destinati
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.ServletRequestDataBinder;
-import org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping;
 import org.springframework.web.servlet.HandlerExecutionChain;
+import org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping;
 
 /**
- * 
+ *
  */
 public class BindingBeanNameUrlHandlerMapping extends BeanNameUrlHandlerMapping {
     private static final transient Logger LOG = LoggerFactory.getLogger(BindingBeanNameUrlHandlerMapping.class);
 
+    @Override
     protected Object getHandlerInternal(HttpServletRequest request) throws Exception {
         Object object = super.getHandlerInternal(request);
 
@@ -45,21 +45,21 @@ public class BindingBeanNameUrlHandlerMa
             HandlerExecutionChain handlerExecutionChain = (HandlerExecutionChain) object;
             object = handlerExecutionChain.getHandler();
         }
-        
+
         if (object != null) {
-        	// prevent CSRF attacks
-        	if (object instanceof DestinationFacade) {
-        		// check supported methods
-        		if (!Arrays.asList(((DestinationFacade)object).getSupportedHttpMethods()).contains(request.getMethod()))
{
-        			throw new UnsupportedOperationException("Unsupported method " + request.getMethod()
+ " for path " + request.getRequestURI());
-        		}
-        		// check the 'secret'
-        		if (!request.getSession().getAttribute("secret").equals(request.getParameter("secret")))
{
-        			throw new UnsupportedOperationException("Possible CSRF attack");
-        		}
-        	}
-        	
-        	
+            // prevent CSRF attacks
+            if (object instanceof DestinationFacade) {
+                // check supported methods
+                if (!Arrays.asList(((DestinationFacade)object).getSupportedHttpMethods()).contains(request.getMethod()))
{
+                    throw new UnsupportedOperationException("Unsupported method " + request.getMethod()
+ " for path " + request.getRequestURI());
+                }
+                // check the 'secret'
+                if (request.getSession().getAttribute("secret") == null ||
+                    !request.getSession().getAttribute("secret").equals(request.getParameter("secret")))
{
+                    throw new UnsupportedOperationException("Possible CSRF attack");
+                }
+            }
+
             ServletRequestDataBinder binder = new ServletRequestDataBinder(object, "request");
             try {
                 binder.bind(request);
@@ -73,7 +73,7 @@ public class BindingBeanNameUrlHandlerMa
                 throw e;
             }
         }
-        
+
         return object;
     }
 }



Mime
View raw message