You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@roller.apache.org by gm...@apache.org on 2014/03/16 03:28:56 UTC
svn commit: r1577966 - in /roller/trunk/app/src/main:
java/org/apache/roller/weblogger/ui/core/filters/ValidateSaltFilter.java
resources/org/apache/roller/weblogger/config/roller.properties
Author: gmazza
Date: Sun Mar 16 02:28:56 2014
New Revision: 1577966
URL: http://svn.apache.org/r1577966
Log:
ROL-1992 fix security error for blogroll opml import page.
Modified:
roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/core/filters/ValidateSaltFilter.java
roller/trunk/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
Modified: roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/core/filters/ValidateSaltFilter.java
URL: http://svn.apache.org/viewvc/roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/core/filters/ValidateSaltFilter.java?rev=1577966&r1=1577965&r2=1577966&view=diff
==============================================================================
--- roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/core/filters/ValidateSaltFilter.java (original)
+++ roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/core/filters/ValidateSaltFilter.java Sun Mar 16 02:28:56 2014
@@ -47,10 +47,11 @@ public class ValidateSaltFilter implemen
FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpReq = (HttpServletRequest) request;
- // TODO multipart/form-data does not send parameters
+ // note enctype="multipart/form-data" does not send parameters (see ROL-1956)
+ // requests of this type are stored in salt.ignored.urls in roller.properties
if (httpReq.getMethod().equals("POST") &&
!isIgnoredURL(((HttpServletRequest) request).getServletPath())) {
- String salt = (String) httpReq.getParameter("salt");
+ String salt = httpReq.getParameter("salt");
SaltCache saltCache = SaltCache.getInstance();
if (salt == null || saltCache.get(salt) == null
|| saltCache.get(salt).equals(false)) {
@@ -64,7 +65,7 @@ public class ValidateSaltFilter implemen
// @Override
public void init(FilterConfig filterConfig) throws ServletException {
- // Construct our list of ignord urls
+ // Construct our list of ignored urls
String urls = WebloggerConfig.getProperty("salt.ignored.urls");
String[] urlsArray = StringUtils.stripAll(StringUtils.split(urls, ","));
for (int i = 0; i < urlsArray.length; i++) {
@@ -77,7 +78,7 @@ public class ValidateSaltFilter implemen
}
/**
- * Checks if this is an ignored url.
+ * Checks if this is an ignored url defined in the salt.ignored.urls property
*
* @param theUrl
* the the url
Modified: roller/trunk/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
URL: http://svn.apache.org/viewvc/roller/trunk/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties?rev=1577966&r1=1577965&r2=1577966&view=diff
==============================================================================
--- roller/trunk/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties (original)
+++ roller/trunk/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties Sun Mar 16 02:28:56 2014
@@ -408,7 +408,7 @@ schemeenforcement.https.urls=/roller_j_s
schemeenforcement.https.ignored=css,gif,png,js
# Ignored urls for salt. These are for multipart/form-data submissions as we do not get any parameters
-salt.ignored.urls=mediaFileAdd!save.rol,mediaFileEdit!save.rol
+salt.ignored.urls=mediaFileAdd!save.rol,mediaFileEdit!save.rol,bookmarksImport!save.rol
#----------------------------------
# Single-Sign-On