You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/05/09 19:38:20 UTC
[tomcat] branch 9.0.x updated: BZ 65853 - Add an additional extension point
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 337a202525 BZ 65853 - Add an additional extension point
337a202525 is described below
commit 337a202525177ce21907e0807e89bbcdeb56d888
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon May 9 20:37:52 2022 +0100
BZ 65853 - Add an additional extension point
---
.../catalina/filters/CsrfPreventionFilter.java | 32 +++++++++++++++++-----
1 file changed, 25 insertions(+), 7 deletions(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index 6e45f3d111..159d8ed318 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -179,16 +179,18 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
nonceCache = createNonceCache(req, session);
}
- String newNonce = generateNonce(req);
+ if (!skipNonceGeneration(req)) {
+ String newNonce = generateNonce(req);
- nonceCache.add(newNonce);
+ nonceCache.add(newNonce);
- // Take this request's nonce and put it into the request
- // attributes so pages can make direct use of it, rather than
- // requiring the use of response.encodeURL.
- request.setAttribute(Constants.CSRF_NONCE_REQUEST_ATTR_NAME, newNonce);
+ // Take this request's nonce and put it into the request
+ // attributes so pages can make direct use of it, rather than
+ // requiring the use of response.encodeURL.
+ request.setAttribute(Constants.CSRF_NONCE_REQUEST_ATTR_NAME, newNonce);
- wResponse = new CsrfResponseWrapper(res, nonceRequestParameterName, newNonce);
+ wResponse = new CsrfResponseWrapper(res, nonceRequestParameterName, newNonce);
+ }
} else {
wResponse = response;
}
@@ -216,6 +218,22 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
}
+ /**
+ * Determines whether a nonce should be created. This method is provided
+ * primarily for the benefit of sub-classes that wish to customise this
+ * behaviour.
+ *
+ * @param request The request that triggered the need to potentially
+ * create the nonce.
+ *
+ * @return {@code true} if a nonce should be created, otherwise
+ * {@code false}
+ */
+ protected boolean skipNonceGeneration(HttpServletRequest request) {
+ return false;
+ }
+
+
/**
* Create a new {@link NonceCache} and store in the {@link HttpSession}.
* This method is provided primarily for the benefit of sub-classes that
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org