You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/05/10 15:40:04 UTC
[tomcat] branch 8.5.x updated (9dc00acdd0 -> e7d801b241)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
from 9dc00acdd0 Fix copy/paste error
new 1ab3a2ba85 Clean up - no functional change
new 1fcc216e2a Allow sub-class to decide if session being null is an issue or not
new e7d801b241 Refactor calls to getNonceCache() so only called when necessary.
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../catalina/filters/CsrfPreventionFilter.java | 36 ++++++++++++++--------
1 file changed, 23 insertions(+), 13 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 03/03: Refactor calls to getNonceCache() so only called when necessary.
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit e7d801b2417662c86e567544f41f1e3873eaeafb
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue May 10 16:33:51 2022 +0100
Refactor calls to getNonceCache() so only called when necessary.
---
java/org/apache/catalina/filters/CsrfPreventionFilter.java | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index fca530d6d6..77c0aa3ae1 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -120,9 +120,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
HttpSession session = req.getSession(false);
- NonceCache<String> nonceCache = getNonceCache(req, session);
+ boolean skipNonceCheck = skipNonceCheck(req);
+ NonceCache<String> nonceCache = null;
- if (!skipNonceCheck(req)) {
+ if (!skipNonceCheck) {
String previousNonce = req.getParameter(nonceRequestParameterName);
if (previousNonce == null) {
@@ -135,7 +136,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
res.sendError(getDenyStatus());
return;
- } else if (nonceCache == null) {
+ }
+
+ nonceCache = getNonceCache(req, session);
+ if (nonceCache == null) {
if (log.isDebugEnabled()) {
log.debug("Rejecting request for " + getRequestedPath(req)
+ ", session "
@@ -163,6 +167,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
}
if (!skipNonceGeneration(req)) {
+ if (skipNonceCheck) {
+ // Didn't look up nonce cache earlier so look it up now.
+ nonceCache = getNonceCache(req, session);
+ }
if (nonceCache == null) {
if (log.isDebugEnabled()) {
log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId()));
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/03: Allow sub-class to decide if session being null is an issue or not
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 1fcc216e2a87d5223c5e2be1a2ab43a6851242ef
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue May 10 16:14:51 2022 +0100
Allow sub-class to decide if session being null is an issue or not
---
java/org/apache/catalina/filters/CsrfPreventionFilter.java | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index dee418ca63..fca530d6d6 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -120,7 +120,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
HttpSession session = req.getSession(false);
- NonceCache<String> nonceCache = (session == null) ? null : getNonceCache(req, session);
+ NonceCache<String> nonceCache = getNonceCache(req, session);
if (!skipNonceCheck(req)) {
String previousNonce = req.getParameter(nonceRequestParameterName);
@@ -265,6 +265,9 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
* and/or session
*/
protected NonceCache<String> getNonceCache(HttpServletRequest request, HttpSession session) {
+ if (session == null) {
+ return null;
+ }
@SuppressWarnings("unchecked")
NonceCache<String> nonceCache =
(NonceCache<String>) session.getAttribute(Constants.CSRF_NONCE_SESSION_ATTR_NAME);
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/03: Clean up - no functional change
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 1ab3a2ba856bbefc8d3b44263bc3017db5848912
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue May 10 16:13:31 2022 +0100
Clean up - no functional change
---
.../catalina/filters/CsrfPreventionFilter.java | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index bfa65fc99c..dee418ca63 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -123,11 +123,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
NonceCache<String> nonceCache = (session == null) ? null : getNonceCache(req, session);
if (!skipNonceCheck(req)) {
- String previousNonce =
- req.getParameter(nonceRequestParameterName);
+ String previousNonce = req.getParameter(nonceRequestParameterName);
- if(previousNonce == null) {
- if(log.isDebugEnabled()) {
+ if (previousNonce == null) {
+ if (log.isDebugEnabled()) {
log.debug("Rejecting request for " + getRequestedPath(req)
+ ", session "
+ (null == session ? "(none)" : session.getId())
@@ -136,8 +135,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
res.sendError(getDenyStatus());
return;
- } else if(nonceCache == null) {
- if(log.isDebugEnabled()) {
+ } else if (nonceCache == null) {
+ if (log.isDebugEnabled()) {
log.debug("Rejecting request for " + getRequestedPath(req)
+ ", session "
+ (null == session ? "(none)" : session.getId())
@@ -146,8 +145,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
res.sendError(getDenyStatus());
return;
- } else if(!nonceCache.contains(previousNonce)) {
- if(log.isDebugEnabled()) {
+ } else if (!nonceCache.contains(previousNonce)) {
+ if (log.isDebugEnabled()) {
log.debug("Rejecting request for " + getRequestedPath(req)
+ ", session "
+ (null == session ? "(none)" : session.getId())
@@ -157,7 +156,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
res.sendError(getDenyStatus());
return;
}
- if(log.isTraceEnabled()) {
+ if (log.isTraceEnabled()) {
log.trace("Allowing request to " + getRequestedPath(req)
+ " with valid CSRF nonce " + previousNonce);
}
@@ -165,12 +164,12 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
if (!skipNonceGeneration(req)) {
if (nonceCache == null) {
- if(log.isDebugEnabled()) {
+ if (log.isDebugEnabled()) {
log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId()));
}
if (session == null) {
- if(log.isDebugEnabled()) {
+ if (log.isDebugEnabled()) {
log.debug("Creating new session to store CSRF nonce cache");
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org