tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kkoli...@apache.org
Subject svn commit: r1393071 - /tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
Date Tue, 02 Oct 2012 18:10:56 GMT
Author: kkolinko
Date: Tue Oct  2 18:10:56 2012
New Revision: 1393071

URL: http://svn.apache.org/viewvc?rev=1393071&view=rev
Log:
Improve session management in CsrfPreventionFilter

Modified:
    tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java

Modified: tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=1393071&r1=1393070&r2=1393071&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Tue Oct  2 18:10:56
2012
@@ -33,6 +33,7 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpServletResponseWrapper;
+import javax.servlet.http.HttpSession;
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
@@ -153,15 +154,19 @@ public class CsrfPreventionFilter extend
                 }
             }
 
-            LruCache<String> nonceCache =
-                (LruCache<String>) req.getSession(true).getAttribute(
-                    Constants.CSRF_NONCE_SESSION_ATTR_NAME);
+            HttpSession session = req.getSession(false);
+
+            @SuppressWarnings("unchecked")
+            LruCache<String> nonceCache = (session == null) ? null
+                    : (LruCache<String>) session.getAttribute(
+                            Constants.CSRF_NONCE_SESSION_ATTR_NAME);
 
             if (!skipNonceCheck) {
                 String previousNonce =
                     req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
 
-                if (nonceCache != null && !nonceCache.contains(previousNonce)) {
+                if (nonceCache == null || previousNonce == null ||
+                        !nonceCache.contains(previousNonce)) {
                     res.sendError(HttpServletResponse.SC_FORBIDDEN);
                     return;
                 }
@@ -169,7 +174,10 @@ public class CsrfPreventionFilter extend
 
             if (nonceCache == null) {
                 nonceCache = new LruCache<>(nonceCacheSize);
-                req.getSession().setAttribute(
+                if (session == null) {
+                    session = req.getSession(true);
+                }
+                session.setAttribute(
                         Constants.CSRF_NONCE_SESSION_ATTR_NAME, nonceCache);
             }
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message