You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by da...@apache.org on 2015/07/08 13:00:44 UTC
wicket git commit: WICKET-5944 CSRF prevention does not work with
https URLs on the default port
Repository: wicket
Updated Branches:
refs/heads/master 6ce7cd19d -> bae94e2d3
WICKET-5944 CSRF prevention does not work with https URLs on the default port
Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/bae94e2d
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/bae94e2d
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/bae94e2d
Branch: refs/heads/master
Commit: bae94e2d330badee94824a199b834639d10d686f
Parents: 6ce7cd1
Author: Martijn Dashorst <ma...@gmail.com>
Authored: Wed Jul 8 13:01:00 2015 +0200
Committer: Martijn Dashorst <ma...@gmail.com>
Committed: Wed Jul 8 13:01:08 2015 +0200
----------------------------------------------------------------------
.../CsrfPreventionRequestCycleListener.java | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/wicket/blob/bae94e2d/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
index 838863b..73cebee 100644
--- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
+++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
@@ -115,7 +115,8 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList
implements
IRequestCycleListener
{
- private static final Logger log = LoggerFactory.getLogger(CsrfPreventionRequestCycleListener.class);
+ private static final Logger log = LoggerFactory
+ .getLogger(CsrfPreventionRequestCycleListener.class);
/**
* The action to perform when a missing or conflicting Origin header is detected.
@@ -162,8 +163,8 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList
private CsrfAction conflictingOriginAction = CsrfAction.ABORT;
/**
- * The error code to report when the action to take for a CSRF request is {@link CsrfAction#ABORT}. Default
- * {@code 400 BAD REQUEST}.
+ * The error code to report when the action to take for a CSRF request is
+ * {@link CsrfAction#ABORT}. Default {@code 400 BAD REQUEST}.
*/
private int errorCode = javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
@@ -516,8 +517,11 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList
target.append(host);
int port = originUri.getPort();
- if (port != -1 && "http".equals(scheme) && port != 80 || "https".equals(scheme) &&
- port != 443)
+ boolean portIsSpecified = port != -1;
+ boolean isAlternateHttpPort = "http".equals(scheme) && port != 80;
+ boolean isAlternateHttpsPort = "https".equals(scheme) && port != 443;
+
+ if (portIsSpecified && (isAlternateHttpPort || isAlternateHttpsPort))
{
target.append(':');
target.append(port);
@@ -583,7 +587,8 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList
* @param page
* the page that is targeted with this request
*/
- private void whitelistedHandler(HttpServletRequest request, String origin, IRequestablePage page)
+ private void whitelistedHandler(HttpServletRequest request, String origin,
+ IRequestablePage page)
{
onWhitelisted(request, origin, page);
if (log.isDebugEnabled())
@@ -640,7 +645,8 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList
* @param page
* the page that is targeted with this request
*/
- protected void onMatchingOrigin(HttpServletRequest request, String origin, IRequestablePage page)
+ protected void onMatchingOrigin(HttpServletRequest request, String origin,
+ IRequestablePage page)
{
}