tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kkoli...@apache.org
Subject svn commit: r1393088 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/filters/CsrfPreventionFilter.java webapps/docs/changelog.xml
Date Tue, 02 Oct 2012 18:40:23 GMT
Author: kkolinko
Date: Tue Oct  2 18:40:22 2012
New Revision: 1393088

URL: http://svn.apache.org/viewvc?rev=1393088&view=rev
Log:
Merged revision 1393071 from tomcat/trunk:
Improve session management in CsrfPreventionFilter

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1393071

Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=1393088&r1=1393087&r2=1393088&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Tue Oct
 2 18:40:22 2012
@@ -33,6 +33,7 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpServletResponseWrapper;
+import javax.servlet.http.HttpSession;
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
@@ -153,16 +154,19 @@ public class CsrfPreventionFilter extend
                 }
             }
 
+            HttpSession session = req.getSession(false);
+
             @SuppressWarnings("unchecked")
-            LruCache<String> nonceCache =
-                (LruCache<String>) req.getSession(true).getAttribute(
-                    Constants.CSRF_NONCE_SESSION_ATTR_NAME);
-            
+            LruCache<String> nonceCache = (session == null) ? null
+                    : (LruCache<String>) session.getAttribute(
+                            Constants.CSRF_NONCE_SESSION_ATTR_NAME);
+
             if (!skipNonceCheck) {
                 String previousNonce =
                     req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
 
-                if (nonceCache != null && !nonceCache.contains(previousNonce)) {
+                if (nonceCache == null || previousNonce == null ||
+                        !nonceCache.contains(previousNonce)) {
                     res.sendError(HttpServletResponse.SC_FORBIDDEN);
                     return;
                 }
@@ -170,7 +174,10 @@ public class CsrfPreventionFilter extend
             
             if (nonceCache == null) {
                 nonceCache = new LruCache<String>(nonceCacheSize);
-                req.getSession().setAttribute(
+                if (session == null) {
+                    session = req.getSession(true);
+                }
+                session.setAttribute(
                         Constants.CSRF_NONCE_SESSION_ATTR_NAME, nonceCache);
             }
             

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1393088&r1=1393087&r2=1393088&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Tue Oct  2 18:40:22 2012
@@ -53,7 +53,17 @@
   They eventually become mixed with the numbered issues. (I.e., numbered
   issues to not "pop up" wrt. others).
 -->
-<section name="Tomcat 7.0.31 (markt)">
+<section name="Tomcat 7.0.32 (markt)">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        Improve session management in <code>CsrfPreventionFilter</code>.
+        (kkolinko)
+      </fix>
+    </changelog>
+  </subsection>
+</section>
+<section name="Tomcat 7.0.31 (markt)" rtext="not released">
   <subsection name="Catalina">
     <changelog>
       <update>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message