tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1394456 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/catalina/filters/CsrfPreventionFilter.java webapps/docs/changelog.xml
Date Fri, 05 Oct 2012 11:46:30 GMT
Author: markt
Date: Fri Oct  5 11:46:29 2012
New Revision: 1394456

URL: http://svn.apache.org/viewvc?rev=1394456&view=rev
Log:
Improve session management in CsrfPreventionFilter (kkolinko)

Modified:
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1394456&r1=1394455&r2=1394456&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Oct  5 11:46:29 2012
@@ -92,11 +92,6 @@ PATCHES PROPOSED TO BACKPORT:
         requires an update to tcnative:
         https://issues.apache.org/bugzilla/show_bug.cgi?id=53969
 
-* Improve session management in CsrfPreventionFilter
-  (Backport of r1393071 from Tomcat 7)
-  http://people.apache.org/~kkolinko/patches/2012-10-03_tc6_CsrfPreventionFilter.patch
-  +1: kkolinko, markt, kfujino
-  -1:
 
 PATCHES/ISSUES THAT ARE STALLED
 

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=1394456&r1=1394455&r2=1394456&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Fri Oct
 5 11:46:29 2012
@@ -34,6 +34,7 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpServletResponseWrapper;
+import javax.servlet.http.HttpSession;
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
@@ -154,16 +155,19 @@ public class CsrfPreventionFilter extend
                 }
             }
 
+            HttpSession session = req.getSession(false);
+
             @SuppressWarnings("unchecked")
-            LruCache<String> nonceCache =
-                (LruCache<String>) req.getSession(true).getAttribute(
-                    Constants.CSRF_NONCE_SESSION_ATTR_NAME);
-            
+            LruCache<String> nonceCache = (session == null) ? null
+                    : (LruCache<String>) session.getAttribute(
+                            Constants.CSRF_NONCE_SESSION_ATTR_NAME);
+
             if (!skipNonceCheck) {
                 String previousNonce =
                     req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
 
-                if (nonceCache != null && !nonceCache.contains(previousNonce)) {
+                if (nonceCache == null || previousNonce == null ||
+                        !nonceCache.contains(previousNonce)) {
                     res.sendError(HttpServletResponse.SC_FORBIDDEN);
                     return;
                 }
@@ -171,7 +175,10 @@ public class CsrfPreventionFilter extend
             
             if (nonceCache == null) {
                 nonceCache = new LruCache<String>(nonceCacheSize);
-                req.getSession().setAttribute(
+                if (session == null) {
+                    session = req.getSession(true);
+                }
+                session.setAttribute(
                         Constants.CSRF_NONCE_SESSION_ATTR_NAME, nonceCache);
             }
             

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1394456&r1=1394455&r2=1394456&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Fri Oct  5 11:46:29 2012
@@ -214,6 +214,9 @@
         <bug>53830</bug>: Better handling of <code>Manager.randomFile</code>
         default value on Windows. (kkolinko)
       </fix>
+      <fix>
+        Improve session management in CsrfPreventionFilter. (kkolinko)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message