You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2012/10/05 13:46:30 UTC
svn commit: r1394456 - in /tomcat/tc6.0.x/trunk: STATUS.txt
java/org/apache/catalina/filters/CsrfPreventionFilter.java
webapps/docs/changelog.xml
Author: markt
Date: Fri Oct 5 11:46:29 2012
New Revision: 1394456
URL: http://svn.apache.org/viewvc?rev=1394456&view=rev
Log:
Improve session management in CsrfPreventionFilter (kkolinko)
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1394456&r1=1394455&r2=1394456&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Oct 5 11:46:29 2012
@@ -92,11 +92,6 @@ PATCHES PROPOSED TO BACKPORT:
requires an update to tcnative:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53969
-* Improve session management in CsrfPreventionFilter
- (Backport of r1393071 from Tomcat 7)
- http://people.apache.org/~kkolinko/patches/2012-10-03_tc6_CsrfPreventionFilter.patch
- +1: kkolinko, markt, kfujino
- -1:
PATCHES/ISSUES THAT ARE STALLED
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=1394456&r1=1394455&r2=1394456&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Fri Oct 5 11:46:29 2012
@@ -34,6 +34,7 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
+import javax.servlet.http.HttpSession;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
@@ -154,16 +155,19 @@ public class CsrfPreventionFilter extend
}
}
+ HttpSession session = req.getSession(false);
+
@SuppressWarnings("unchecked")
- LruCache<String> nonceCache =
- (LruCache<String>) req.getSession(true).getAttribute(
- Constants.CSRF_NONCE_SESSION_ATTR_NAME);
-
+ LruCache<String> nonceCache = (session == null) ? null
+ : (LruCache<String>) session.getAttribute(
+ Constants.CSRF_NONCE_SESSION_ATTR_NAME);
+
if (!skipNonceCheck) {
String previousNonce =
req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
- if (nonceCache != null && !nonceCache.contains(previousNonce)) {
+ if (nonceCache == null || previousNonce == null ||
+ !nonceCache.contains(previousNonce)) {
res.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
@@ -171,7 +175,10 @@ public class CsrfPreventionFilter extend
if (nonceCache == null) {
nonceCache = new LruCache<String>(nonceCacheSize);
- req.getSession().setAttribute(
+ if (session == null) {
+ session = req.getSession(true);
+ }
+ session.setAttribute(
Constants.CSRF_NONCE_SESSION_ATTR_NAME, nonceCache);
}
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1394456&r1=1394455&r2=1394456&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Fri Oct 5 11:46:29 2012
@@ -214,6 +214,9 @@
<bug>53830</bug>: Better handling of <code>Manager.randomFile</code>
default value on Windows. (kkolinko)
</fix>
+ <fix>
+ Improve session management in CsrfPreventionFilter. (kkolinko)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org