You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@deltaspike.apache.org by gp...@apache.org on 2015/07/19 17:21:14 UTC
[2/2] deltaspike git commit: DELTASPIKE-960 use maxWindowIdCount for
window-id cookies
DELTASPIKE-960 use maxWindowIdCount for window-id cookies
Project: http://git-wip-us.apache.org/repos/asf/deltaspike/repo
Commit: http://git-wip-us.apache.org/repos/asf/deltaspike/commit/e0aabe00
Tree: http://git-wip-us.apache.org/repos/asf/deltaspike/tree/e0aabe00
Diff: http://git-wip-us.apache.org/repos/asf/deltaspike/diff/e0aabe00
Branch: refs/heads/master
Commit: e0aabe00b3578fbe65095b34faf3533689c053c5
Parents: 104df5f
Author: gpetracek <gp...@apache.org>
Authored: Sun Jul 19 15:03:32 2015 +0200
Committer: gpetracek <gp...@apache.org>
Committed: Sun Jul 19 17:18:43 2015 +0200
----------------------------------------------------------------------
.../component/window/WindowIdHtmlRenderer.java | 29 ++++++++++++--------
1 file changed, 17 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/deltaspike/blob/e0aabe00/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
----------------------------------------------------------------------
diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
index 7cd2e03..6a2ea7a 100644
--- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
+++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
@@ -63,16 +63,13 @@ public class WindowIdHtmlRenderer extends Renderer
ClientWindowConfig.ClientWindowRenderMode clientWindowRenderMode =
clientWindowConfig.getClientWindowRenderMode(context);
+ boolean delegatedWindowMode =
+ ClientWindowConfig.ClientWindowRenderMode.DELEGATED.equals(clientWindowRenderMode);
+
// don't cut the windowId generated from JSF
- if (!ClientWindowConfig.ClientWindowRenderMode.DELEGATED.equals(clientWindowRenderMode))
+ if (!delegatedWindowMode)
{
- //already ensured by DefaultClientWindow
- //just to ensure that we don't get a security issue in case of a customized client-window implementation
- //will never happen usually -> no real overhead
- if (windowId != null && windowId.length() > this.maxWindowIdCount)
- {
- windowId = windowId.substring(0, this.maxWindowIdCount);
- }
+ windowId = secureWindowId(windowId);
}
ResponseWriter writer = context.getResponseWriter();
@@ -84,14 +81,13 @@ public class WindowIdHtmlRenderer extends Renderer
writer.write("'storeWindowTree':'" + clientWindowConfig.isClientWindowStoreWindowTreeEnabled() + "'");
// see #729
- if (clientWindow.isInitialRedirectSupported(context))
+ if (!delegatedWindowMode && clientWindow.isInitialRedirectSupported(context))
{
Object cookie = ClientWindowHelper.getRequestWindowIdCookie(context, windowId);
if (cookie != null && cookie instanceof Cookie)
{
Cookie servletCookie = (Cookie) cookie;
- writer.write(",'initialRedirectWindowId':'" + servletCookie.getValue() + "'");
-
+ writer.write(",'initialRedirectWindowId':'" + secureWindowId(servletCookie.getValue()) + "'");
// expire/remove cookie
servletCookie.setMaxAge(0);
((HttpServletResponse) context.getExternalContext().getResponse()).addCookie(servletCookie);
@@ -103,6 +99,16 @@ public class WindowIdHtmlRenderer extends Renderer
writer.endElement("script");
}
+ protected String secureWindowId(String windowId)
+ {
+ //restrict the length to prevent script-injection
+ if (windowId != null && windowId.length() > this.maxWindowIdCount)
+ {
+ windowId = windowId.substring(0, this.maxWindowIdCount);
+ }
+ return windowId;
+ }
+
private void lazyInit()
{
if (clientWindow == null)
@@ -118,5 +124,4 @@ public class WindowIdHtmlRenderer extends Renderer
}
}
}
-
}