geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From xuhaih...@apache.org
Subject svn commit: r780269 - in /geronimo/server/branches/2.1/plugins/console/console-filter/src/main: java/org/apache/geronimo/console/filter/XSRFHandler.java resources/XSRF.js
Date Sat, 30 May 2009 14:05:45 GMT
Author: xuhaihong
Date: Sat May 30 14:05:45 2009
New Revision: 780269

URL: http://svn.apache.org/viewvc?rev=780269&view=rev
Log:
GERONIMO-4641 XSSXSRFFilter cause some link failure (Patch from Rex Wang)

Modified:
    geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
    geronimo/server/branches/2.1/plugins/console/console-filter/src/main/resources/XSRF.js

Modified: geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java?rev=780269&r1=780268&r2=780269&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
(original)
+++ geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
Sat May 30 14:05:45 2009
@@ -87,9 +87,9 @@
             return false;
         }
 
-        String sesId = (String)hses.getAttribute(XSRF_UNIQUEID);
-        String reqId = (String)hreq.getParameter(XSRF_UNIQUEID);
         if ((hreq.getQueryString() != null) || (hreq.getParameterNames().hasMoreElements()))
{
+            String sesId = (String)hses.getAttribute(XSRF_UNIQUEID);
+            String reqId = (String)hreq.getParameter(XSRF_UNIQUEID);
             log.debug("XSRF checking requestURI=" + hreq.getRequestURI());
             // only check if this is a form GET/POST
             if (sesId == null) {

Modified: geronimo/server/branches/2.1/plugins/console/console-filter/src/main/resources/XSRF.js
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/console/console-filter/src/main/resources/XSRF.js?rev=780269&r1=780268&r2=780269&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/console/console-filter/src/main/resources/XSRF.js
(original)
+++ geronimo/server/branches/2.1/plugins/console/console-filter/src/main/resources/XSRF.js
Sat May 30 14:05:45 2009
@@ -18,47 +18,44 @@
 var formID = '<%XSRF_UNIQUEID%>';
 function updateLinks() {
     var elements = document.all ? document.all : document.getElementsByTagName('*');
-    var len = elements.length;
-    for (var i=0; i<len; i++) {
-        var element = elements[i];      
-        updateLink(element, 'src');
-        updateLink(element, 'href');
-//        updateOnclickLink(element);
+    for (var i=0; i<elements.length; i++) {   
+        var link = elements[i].getAttribute('href');
+        if (link != null && isURL(link) && link.indexOf('?') != -1) {
+            // add formId only if other attributes are present in link
+           	// Note: we cannot use setAttribute due to IE issues so we are using element.*=
+          	elements[i].href = link + '&formId=' + formID;
+        }
     }
 }
+
 function updateForms() {
-   var forms = document.getElementsByTagName('form');
-   for (i=0; i<forms.length; i++) {
-       var input = document.createElement('input');
-       if (document.all) {
-          input.type = 'hidden';
-          input.name = 'formId';
-          input.value = formID;
-       } else if (document.getElementById) {
-          input.setAttribute('type', 'hidden');
-          input.setAttribute('name', 'formId');
-          input.setAttribute('value', formID);
-       }
-       forms[i].appendChild(input);
-   }
-}
-function updateLink(element, attr) {
-    var link = element.getAttribute(attr);
-    if ((link != null) && (link != '') && isURL(link)) {
-        var i = link.indexOf('?');
-        // add formId only if other attributes are present in link
-        if (i != -1) {
-            link = link + '&formId=' + formID;
-            // Note: we cannot use setAttribute due to IE issues so we are using element.*=
-            if (attr.substring(0,3) == 'src') {
-                element.src=link;
-            }
-            else {
-                element.href=link;
+	var forms = document.getElementsByTagName('form');
+	for (i=0; i<forms.length; i++) {
+		if (forms[i].getAttribute('enctype').toLowerCase() == 'multipart/form-data'){ // add formId
in action link
+            var link = forms[i].getAttribute('action');
+            if (link != null && isURL(link)) {
+            	if (link.indexOf('?') == -1) {
+            		link = link + '?'
+            	}
+           	    // Note: we cannot use setAttribute due to IE issues so we are using element.*=
+           	    forms[i].action = link + '&formId=' + formID;
             }
+        } else {
+        	var input = document.createElement('input');
+        	if (document.all) {		//IE
+        	    input.type = 'hidden';
+        	    input.name = 'formId';
+        	    input.value = formID;
+        	} else if (document.getElementById) {	//firefox
+        	    input.setAttribute('type', 'hidden');
+        	    input.setAttribute('name', 'formId');
+        	    input.setAttribute('value', formID);
+        	}
+        	forms[i].appendChild(input);
         }
-    }
+	}
 }
+
 function updateOnclickLink(element) {
     var link = element.getAttribute('onclick');
     if ((link != null) && (link != '')) {
@@ -74,12 +71,14 @@
     }
     return false;
 }
+
 function isURL(link) {
-    var rc = 0;
-    if (link.substring(0, 4) == 'http' || link.substring(0, 1) == '/') {
-        rc = 1;
-    }
-    return rc;
+   	if ((typeof link == 'string') && link.constructor == String){
+   	   	if (link != '' && (link.substring(0, 4) == 'http' || link.substring(0, 1)
== '/')){
+   	    	return true;
+   	    }
+   	}
+   	return false;
 }
 updateLinks();
 updateForms();



Mime
View raw message