You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@click.apache.org by me...@apache.org on 2012/09/14 15:32:20 UTC

svn commit: r1384765 - /click/trunk/click/framework/src/org/apache/click/control/Form.java

Author: medgar
Date: Fri Sep 14 13:32:20 2012
New Revision: 1384765

URL: http://svn.apache.org/viewvc?rev=1384765&view=rev
Log:
improved form security check token

Modified:
    click/trunk/click/framework/src/org/apache/click/control/Form.java

Modified: click/trunk/click/framework/src/org/apache/click/control/Form.java
URL: http://svn.apache.org/viewvc/click/trunk/click/framework/src/org/apache/click/control/Form.java?rev=1384765&r1=1384764&r2=1384765&view=diff
==============================================================================
--- click/trunk/click/framework/src/org/apache/click/control/Form.java (original)
+++ click/trunk/click/framework/src/org/apache/click/control/Form.java Fri Sep 14 13:32:20 2012
@@ -23,6 +23,7 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.StringTokenizer;
+import java.util.UUID;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -2355,10 +2356,10 @@ public class Form extends AbstractContai
             && request.getMethod().equalsIgnoreCase(getMethod())
             && getName().equals(formName)) {
 
-            Long sessionTime =
-                (Long) context.getSessionAttribute(submitTokenName);
+            String submitToken =
+                (String) context.getSessionAttribute(submitTokenName);
 
-            if (sessionTime != null) {
+            if (submitToken != null) {
                 String value = context.getRequestParameter(submitTokenName);
                 if (value == null || value.length() == 0) {
                     // CLK-289. If a session attribute exists for the
@@ -2373,8 +2374,7 @@ public class Form extends AbstractContai
                         + "Form.onSubmitCheck() will return false.");
                     isValidSubmit = false;
                 } else {
-                    Long formTime = Long.valueOf(value);
-                    isValidSubmit = formTime.equals(sessionTime);
+                    isValidSubmit = submitToken.equals(value);
                 }
             }
         }
@@ -2382,16 +2382,16 @@ public class Form extends AbstractContai
         // CLK-267: check against adding a duplicate field
         HiddenField field = (HiddenField) getField(submitTokenName);
         if (field == null) {
-            field = new NonProcessedHiddenField(submitTokenName, Long.class);
+            field = new NonProcessedHiddenField(submitTokenName, String.class);
             add(field);
             insertIndexOffset++;
         }
 
         // Save state info to form and session
-        final Long time = System.currentTimeMillis();
-        field.setValueObject(time);
+        final String submitToken = UUID.randomUUID().toString();
+        field.setValueObject(submitToken);
 
-        context.setSessionAttribute(submitTokenName, time);
+        context.setSessionAttribute(submitTokenName, submitToken);
 
         if (isValidSubmit) {
             return true;