You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@click.apache.org by me...@apache.org on 2012/09/14 15:32:20 UTC
svn commit: r1384765 -
/click/trunk/click/framework/src/org/apache/click/control/Form.java
Author: medgar
Date: Fri Sep 14 13:32:20 2012
New Revision: 1384765
URL: http://svn.apache.org/viewvc?rev=1384765&view=rev
Log:
improved form security check token
Modified:
click/trunk/click/framework/src/org/apache/click/control/Form.java
Modified: click/trunk/click/framework/src/org/apache/click/control/Form.java
URL: http://svn.apache.org/viewvc/click/trunk/click/framework/src/org/apache/click/control/Form.java?rev=1384765&r1=1384764&r2=1384765&view=diff
==============================================================================
--- click/trunk/click/framework/src/org/apache/click/control/Form.java (original)
+++ click/trunk/click/framework/src/org/apache/click/control/Form.java Fri Sep 14 13:32:20 2012
@@ -23,6 +23,7 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.StringTokenizer;
+import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -2355,10 +2356,10 @@ public class Form extends AbstractContai
&& request.getMethod().equalsIgnoreCase(getMethod())
&& getName().equals(formName)) {
- Long sessionTime =
- (Long) context.getSessionAttribute(submitTokenName);
+ String submitToken =
+ (String) context.getSessionAttribute(submitTokenName);
- if (sessionTime != null) {
+ if (submitToken != null) {
String value = context.getRequestParameter(submitTokenName);
if (value == null || value.length() == 0) {
// CLK-289. If a session attribute exists for the
@@ -2373,8 +2374,7 @@ public class Form extends AbstractContai
+ "Form.onSubmitCheck() will return false.");
isValidSubmit = false;
} else {
- Long formTime = Long.valueOf(value);
- isValidSubmit = formTime.equals(sessionTime);
+ isValidSubmit = submitToken.equals(value);
}
}
}
@@ -2382,16 +2382,16 @@ public class Form extends AbstractContai
// CLK-267: check against adding a duplicate field
HiddenField field = (HiddenField) getField(submitTokenName);
if (field == null) {
- field = new NonProcessedHiddenField(submitTokenName, Long.class);
+ field = new NonProcessedHiddenField(submitTokenName, String.class);
add(field);
insertIndexOffset++;
}
// Save state info to form and session
- final Long time = System.currentTimeMillis();
- field.setValueObject(time);
+ final String submitToken = UUID.randomUUID().toString();
+ field.setValueObject(submitToken);
- context.setSessionAttribute(submitTokenName, time);
+ context.setSessionAttribute(submitTokenName, submitToken);
if (isValidSubmit) {
return true;