deltaspike-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gpetra...@apache.org
Subject [2/2] deltaspike git commit: DELTASPIKE-960 use maxWindowIdCount for window-id cookies
Date Sun, 19 Jul 2015 15:21:14 GMT
DELTASPIKE-960 use maxWindowIdCount for window-id cookies


Project: http://git-wip-us.apache.org/repos/asf/deltaspike/repo
Commit: http://git-wip-us.apache.org/repos/asf/deltaspike/commit/e0aabe00
Tree: http://git-wip-us.apache.org/repos/asf/deltaspike/tree/e0aabe00
Diff: http://git-wip-us.apache.org/repos/asf/deltaspike/diff/e0aabe00

Branch: refs/heads/master
Commit: e0aabe00b3578fbe65095b34faf3533689c053c5
Parents: 104df5f
Author: gpetracek <gpetracek@apache.org>
Authored: Sun Jul 19 15:03:32 2015 +0200
Committer: gpetracek <gpetracek@apache.org>
Committed: Sun Jul 19 17:18:43 2015 +0200

----------------------------------------------------------------------
 .../component/window/WindowIdHtmlRenderer.java  | 29 ++++++++++++--------
 1 file changed, 17 insertions(+), 12 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/deltaspike/blob/e0aabe00/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
----------------------------------------------------------------------
diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
index 7cd2e03..6a2ea7a 100644
--- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
+++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
@@ -63,16 +63,13 @@ public class WindowIdHtmlRenderer extends Renderer
         ClientWindowConfig.ClientWindowRenderMode clientWindowRenderMode =
                 clientWindowConfig.getClientWindowRenderMode(context);
 
+        boolean delegatedWindowMode =
+            ClientWindowConfig.ClientWindowRenderMode.DELEGATED.equals(clientWindowRenderMode);
+
         // don't cut the windowId generated from JSF
-        if (!ClientWindowConfig.ClientWindowRenderMode.DELEGATED.equals(clientWindowRenderMode))
+        if (!delegatedWindowMode)
         {
-            //already ensured by DefaultClientWindow
-            //just to ensure that we don't get a security issue in case of a customized client-window
implementation
-            //will never happen usually -> no real overhead
-            if (windowId != null && windowId.length() > this.maxWindowIdCount)
-            {
-                windowId = windowId.substring(0, this.maxWindowIdCount);
-            }
+            windowId = secureWindowId(windowId);
         }
 
         ResponseWriter writer = context.getResponseWriter();
@@ -84,14 +81,13 @@ public class WindowIdHtmlRenderer extends Renderer
         writer.write("'storeWindowTree':'" + clientWindowConfig.isClientWindowStoreWindowTreeEnabled()
+ "'");
 
         // see #729
-        if (clientWindow.isInitialRedirectSupported(context))
+        if (!delegatedWindowMode && clientWindow.isInitialRedirectSupported(context))
         {
             Object cookie = ClientWindowHelper.getRequestWindowIdCookie(context, windowId);
             if (cookie != null && cookie instanceof Cookie)
             {
                 Cookie servletCookie = (Cookie) cookie;
-                writer.write(",'initialRedirectWindowId':'" + servletCookie.getValue() +
"'");
-
+                writer.write(",'initialRedirectWindowId':'" + secureWindowId(servletCookie.getValue())
+ "'");
                 // expire/remove cookie
                 servletCookie.setMaxAge(0);
                 ((HttpServletResponse) context.getExternalContext().getResponse()).addCookie(servletCookie);
@@ -103,6 +99,16 @@ public class WindowIdHtmlRenderer extends Renderer
         writer.endElement("script");
     }
 
+    protected String secureWindowId(String windowId)
+    {
+        //restrict the length to prevent script-injection
+        if (windowId != null && windowId.length() > this.maxWindowIdCount)
+        {
+            windowId = windowId.substring(0, this.maxWindowIdCount);
+        }
+        return windowId;
+    }
+
     private void lazyInit()
     {
         if (clientWindow == null)
@@ -118,5 +124,4 @@ public class WindowIdHtmlRenderer extends Renderer
             }
         }
     }
-
 }


Mime
View raw message