You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by xi...@apache.org on 2012/05/18 11:07:38 UTC
svn commit: r1340038 -
/geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
Author: xiaming
Date: Fri May 18 09:07:37 2012
New Revision: 1340038
URL: http://svn.apache.org/viewvc?rev=1340038&view=rev
Log:
GERONIMO-6348 A workaround for IE specific XSSXSRFFilter issue
Modified:
geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
Modified: geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java?rev=1340038&r1=1340037&r2=1340038&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java Fri May 18 09:07:37 2012
@@ -96,7 +96,7 @@ public class XSRFHandler
if (hses.isNew() || (uniqueId == null)) {
// New client session, so create and add our uniqueId
uniqueId = createSession(hses.getId());
- hses.setAttribute(XSRF_UNIQUEID, uniqueId);
+ hses.setAttribute(XSRF_UNIQUEID, uniqueId);hreq.getRequestURI();
log.info("Created session for uid=" + hreq.getRemoteUser() + " with sessionId=" + hses.getId() + ", uniqueId=" + uniqueId);
return false;
}
@@ -134,9 +134,18 @@ public class XSRFHandler
}
else if (!reqId.equals(uniqueId)) {
// The unique Ids didn't match
- log.warn("Blocked due to invalid HttpServletRequest parameter.");
+ log.warn("The formId in queryString is not equal to the saved formId in the session.");
// TODO - Should we invalidate the session?
- return true;
+ String useragent = hreq.getHeader("user-agent");
+ if (useragent.indexOf("MSIE") > -1) {
+ // let pass for IE
+ log.debug("User client is IE, when reqId!=uniqueId.");
+ return false;
+ } else {
+ // block other browser
+ log.debug("User client is " + useragent + ", when reqId!=uniqueId.");
+ return true;
+ }
}
else {
// Unique Ids matched, so let the request thru