You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by cr...@apache.org on 2004/07/07 23:12:43 UTC
cvs commit: jakarta-struts/src/share/org/apache/struts/util TokenProcessor.java
craigmcc 2004/07/07 14:12:43
Modified: src/share/org/apache/struts/util TokenProcessor.java
Log:
Ensure that the tokens returned by TokenProcessor.generateToken() are
not the same, even if called quickly (within the same session) on a
fast processor. A modified version of the submitted patch (thanks!)
was applied, leveraging David Graham's suggestion to simply keep track
of the last value that was used so it will not be repeated.
PR: 29943
Submitted by: Erik van Oosten
Revision Changes Path
1.7 +19 -18 jakarta-struts/src/share/org/apache/struts/util/TokenProcessor.java
Index: TokenProcessor.java
===================================================================
RCS file: /home/cvs/jakarta-struts/src/share/org/apache/struts/util/TokenProcessor.java,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- TokenProcessor.java 14 Mar 2004 06:23:51 -0000 1.6
+++ TokenProcessor.java 7 Jul 2004 21:12:43 -0000 1.7
@@ -61,6 +61,11 @@
}
/**
+ * The timestamp used most recently to generate a token value.
+ */
+ private long previous;
+
+ /**
* Return <code>true</code> if there is a transaction token stored in
* the user's current session, and the value submitted as a request
* parameter with this action matches it. Returns <code>false</code>
@@ -162,19 +167,21 @@
*
* @param request The request we are processing
*/
- public String generateToken(HttpServletRequest request) {
+ public synchronized String generateToken(HttpServletRequest request) {
HttpSession session = request.getSession();
try {
byte id[] = session.getId().getBytes();
- byte now[] = new Long(System.currentTimeMillis()).toString().getBytes();
+ long current = System.currentTimeMillis();
+ if (current == previous) {
+ current++;
+ }
+ previous = current;
+ byte now[] = new Long(current).toString().getBytes();
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(id);
md.update(now);
- return this.toHex(md.digest());
-
- } catch (IllegalStateException e) {
- return null;
+ return toHex(md.digest());
} catch (NoSuchAlgorithmException e) {
return null;
}
@@ -186,17 +193,11 @@
* @param buffer The byte array to be converted
*/
private String toHex(byte buffer[]) {
- StringBuffer sb = new StringBuffer();
- String s = null;
-
+ StringBuffer sb = new StringBuffer(buffer.length * 2);
for (int i = 0; i < buffer.length; i++) {
- s = Integer.toHexString((int) buffer[i] & 0xff);
- if (s.length() < 2) {
- sb.append('0');
- }
- sb.append(s);
+ sb.append(Character.forDigit((buffer[i] & 0xf0) >> 4, 16));
+ sb.append(Character.forDigit(buffer[i] & 0x0f, 16));
}
-
return sb.toString();
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org