You are viewing a plain text version of this content. The canonical link for it is here.

Posted to scm@geronimo.apache.org by xi...@apache.org on 2012/05/18 11:07:38 UTC

svn commit: r1340038 - /geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java

Author: xiaming
Date: Fri May 18 09:07:37 2012
New Revision: 1340038

URL: http://svn.apache.org/viewvc?rev=1340038&view=rev
Log:
GERONIMO-6348 A workaround for IE specific XSSXSRFFilter issue

Modified:
    geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java

Modified: geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java?rev=1340038&r1=1340037&r2=1340038&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java Fri May 18 09:07:37 2012
@@ -96,7 +96,7 @@ public class XSRFHandler
         if (hses.isNew() || (uniqueId == null)) {
             // New client session, so create and add our uniqueId
             uniqueId = createSession(hses.getId());
-            hses.setAttribute(XSRF_UNIQUEID, uniqueId);
+            hses.setAttribute(XSRF_UNIQUEID, uniqueId);hreq.getRequestURI();
             log.info("Created session for uid=" + hreq.getRemoteUser() + " with sessionId=" + hses.getId() + ", uniqueId=" + uniqueId);
             return false;
         }
@@ -134,9 +134,18 @@ public class XSRFHandler
             }
             else if (!reqId.equals(uniqueId)) {
                 // The unique Ids didn't match
-                log.warn("Blocked due to invalid HttpServletRequest parameter.");
+                log.warn("The formId in queryString is not equal to the saved formId in the session.");
                 // TODO - Should we invalidate the session?
-                return true;
+                String useragent = hreq.getHeader("user-agent");
+                if (useragent.indexOf("MSIE") > -1) {
+                    // let pass for IE
+                    log.debug("User client is IE, when reqId!=uniqueId.");
+                    return false;                    
+                } else {
+                    // block other browser
+                    log.debug("User client is " + useragent + ", when reqId!=uniqueId.");
+                    return true;
+                }
             }
             else {
                 // Unique Ids matched, so let the request thru