You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by hl...@apache.org on 2008/08/08 19:20:33 UTC
svn commit: r684019 - in /tapestry/tapestry5/trunk/tapestry-core/src:
main/java/org/apache/tapestry5/corelib/components/
main/java/org/apache/tapestry5/internal/services/
main/java/org/apache/tapestry5/internal/test/
main/java/org/apache/tapestry5/serv...
Author: hlship
Date: Fri Aug 8 10:20:33 2008
New Revision: 684019
URL: http://svn.apache.org/viewvc?rev=684019&view=rev
Log:
TAPESTRY-2563: Tapestry should reject form submissions that aren't via POST or don't contain t:formdata, as likely hack attempts
Added:
tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/Form.properties
Modified:
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Form.java
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestImpl.java
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/test/TestableRequestImpl.java
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/Request.java
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Form.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Form.java?rev=684019&r1=684018&r2=684019&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Form.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Form.java Fri Aug 8 10:20:33 2008
@@ -26,6 +26,7 @@
import org.apache.tapestry5.internal.services.HeartbeatImpl;
import org.apache.tapestry5.internal.util.Base64ObjectInputStream;
import org.apache.tapestry5.ioc.Location;
+import org.apache.tapestry5.ioc.Messages;
import org.apache.tapestry5.ioc.annotations.Inject;
import org.apache.tapestry5.ioc.internal.util.InternalUtils;
import org.apache.tapestry5.ioc.internal.util.TapestryException;
@@ -143,6 +144,9 @@
@Inject
private ComponentResources resources;
+ @Inject
+ private Messages messages;
+
@Environmental
private RenderSupport renderSupport;
@@ -367,7 +371,8 @@
{
String[] values = request.getParameters(FORM_DATA);
- if (values == null) return;
+ if (!request.getMethod().equals("POST") || values == null)
+ throw new RuntimeException(messages.format("invalid-request", FORM_DATA));
// Due to Ajax (FormInjector) there may be multiple values here, so handle each one individually.
Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestImpl.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestImpl.java?rev=684019&r1=684018&r2=684019&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestImpl.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestImpl.java Fri Aug 8 10:20:33 2008
@@ -153,6 +153,11 @@
request.setAttribute(name, value);
}
+ public String getMethod()
+ {
+ return request.getMethod();
+ }
+
public String getServerName()
{
return request.getServerName();
Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/test/TestableRequestImpl.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/test/TestableRequestImpl.java?rev=684019&r1=684018&r2=684019&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/test/TestableRequestImpl.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/test/TestableRequestImpl.java Fri Aug 8 10:20:33 2008
@@ -93,7 +93,7 @@
{
String value = getParameter(name);
- return value == null ? null : new String[] { value };
+ return value == null ? null : new String[] {value};
}
public String getPath()
@@ -159,4 +159,12 @@
{
return nyi("getServerName");
}
+
+ /**
+ * Always returns POST, to keep the Form component happy.
+ */
+ public String getMethod()
+ {
+ return "POST";
+ }
}
Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/Request.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/Request.java?rev=684019&r1=684018&r2=684019&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/Request.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/Request.java Fri Aug 8 10:20:33 2008
@@ -145,4 +145,11 @@
* @param value the <code>Object</code> to be stored, or null to remove the attribute
*/
void setAttribute(String name, Object value);
+
+ /**
+ * Returns the name of the HTTP method with which this request was made, for example, GET, POST, or PUT.
+ *
+ * @return a string specifying the name of the method with which this request was made
+ */
+ public String getMethod();
}
Added: tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/Form.properties
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/Form.properties?rev=684019&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/Form.properties (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/Form.properties Fri Aug 8 10:20:33 2008
@@ -0,0 +1,15 @@
+# Copyright 2008 The Apache Software Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+invalid-request=Forms require that the request method be POST and that the %s query parameter have values.
Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=684019&r1=684018&r2=684019&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java Fri Aug 8 10:20:33 2008
@@ -1344,7 +1344,7 @@
{
start("Disabled Fields");
- String[] paths = new String[]{"//input[@id='textfield']",
+ String[] paths = new String[] {"//input[@id='textfield']",
"//input[@id='passwordfield']",
@@ -2138,4 +2138,15 @@
assertText("nobody", "false");
assertText("somebody", "true");
}
+
+ /**
+ * TAPESTRY-2563
+ */
+ public void form_action_via_get()
+ {
+ open(BASE_URL + "validform.form");
+
+ assertTextPresent(
+ "Forms require that the request method be POST and that the t:formdata query parameter have values.");
+ }
}