You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/05/10 15:39:38 UTC
[tomcat] branch 9.0.x updated (c832fc6498 -> 1b80418188)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
from c832fc6498 Fix copy/paste error
new a9e8be066c Clean up - no functional change
new e9413ef1ec Allow sub-class to decide if session being null is an issue or not
new 1b80418188 Refactor calls to getNonceCache() so only called when necessary.
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../catalina/filters/CsrfPreventionFilter.java | 36 ++++++++++++++--------
1 file changed, 23 insertions(+), 13 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 03/03: Refactor calls to getNonceCache() so only called when necessary.
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 1b8041818885d6932d3d48591b28e7f3c1cf0c3a
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue May 10 16:33:51 2022 +0100
Refactor calls to getNonceCache() so only called when necessary.
---
java/org/apache/catalina/filters/CsrfPreventionFilter.java | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index fca530d6d6..77c0aa3ae1 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -120,9 +120,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
HttpSession session = req.getSession(false);
- NonceCache<String> nonceCache = getNonceCache(req, session);
+ boolean skipNonceCheck = skipNonceCheck(req);
+ NonceCache<String> nonceCache = null;
- if (!skipNonceCheck(req)) {
+ if (!skipNonceCheck) {
String previousNonce = req.getParameter(nonceRequestParameterName);
if (previousNonce == null) {
@@ -135,7 +136,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
res.sendError(getDenyStatus());
return;
- } else if (nonceCache == null) {
+ }
+
+ nonceCache = getNonceCache(req, session);
+ if (nonceCache == null) {
if (log.isDebugEnabled()) {
log.debug("Rejecting request for " + getRequestedPath(req)
+ ", session "
@@ -163,6 +167,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
}
if (!skipNonceGeneration(req)) {
+ if (skipNonceCheck) {
+ // Didn't look up nonce cache earlier so look it up now.
+ nonceCache = getNonceCache(req, session);
+ }
if (nonceCache == null) {
if (log.isDebugEnabled()) {
log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId()));
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/03: Allow sub-class to decide if session being null is an issue or not
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit e9413ef1ece2a6fead21ddbdbecacebf229a541e
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue May 10 16:14:51 2022 +0100
Allow sub-class to decide if session being null is an issue or not
---
java/org/apache/catalina/filters/CsrfPreventionFilter.java | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index dee418ca63..fca530d6d6 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -120,7 +120,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
HttpSession session = req.getSession(false);
- NonceCache<String> nonceCache = (session == null) ? null : getNonceCache(req, session);
+ NonceCache<String> nonceCache = getNonceCache(req, session);
if (!skipNonceCheck(req)) {
String previousNonce = req.getParameter(nonceRequestParameterName);
@@ -265,6 +265,9 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
* and/or session
*/
protected NonceCache<String> getNonceCache(HttpServletRequest request, HttpSession session) {
+ if (session == null) {
+ return null;
+ }
@SuppressWarnings("unchecked")
NonceCache<String> nonceCache =
(NonceCache<String>) session.getAttribute(Constants.CSRF_NONCE_SESSION_ATTR_NAME);
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/03: Clean up - no functional change
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit a9e8be066c8a78d65f6ce91ec4d7071fbd80ada8
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue May 10 16:13:31 2022 +0100
Clean up - no functional change
---
.../catalina/filters/CsrfPreventionFilter.java | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index bfa65fc99c..dee418ca63 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -123,11 +123,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
NonceCache<String> nonceCache = (session == null) ? null : getNonceCache(req, session);
if (!skipNonceCheck(req)) {
- String previousNonce =
- req.getParameter(nonceRequestParameterName);
+ String previousNonce = req.getParameter(nonceRequestParameterName);
- if(previousNonce == null) {
- if(log.isDebugEnabled()) {
+ if (previousNonce == null) {
+ if (log.isDebugEnabled()) {
log.debug("Rejecting request for " + getRequestedPath(req)
+ ", session "
+ (null == session ? "(none)" : session.getId())
@@ -136,8 +135,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
res.sendError(getDenyStatus());
return;
- } else if(nonceCache == null) {
- if(log.isDebugEnabled()) {
+ } else if (nonceCache == null) {
+ if (log.isDebugEnabled()) {
log.debug("Rejecting request for " + getRequestedPath(req)
+ ", session "
+ (null == session ? "(none)" : session.getId())
@@ -146,8 +145,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
res.sendError(getDenyStatus());
return;
- } else if(!nonceCache.contains(previousNonce)) {
- if(log.isDebugEnabled()) {
+ } else if (!nonceCache.contains(previousNonce)) {
+ if (log.isDebugEnabled()) {
log.debug("Rejecting request for " + getRequestedPath(req)
+ ", session "
+ (null == session ? "(none)" : session.getId())
@@ -157,7 +156,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
res.sendError(getDenyStatus());
return;
}
- if(log.isTraceEnabled()) {
+ if (log.isTraceEnabled()) {
log.trace("Allowing request to " + getRequestedPath(req)
+ " with valid CSRF nonce " + previousNonce);
}
@@ -165,12 +164,12 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
if (!skipNonceGeneration(req)) {
if (nonceCache == null) {
- if(log.isDebugEnabled()) {
+ if (log.isDebugEnabled()) {
log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId()));
}
if (session == null) {
- if(log.isDebugEnabled()) {
+ if (log.isDebugEnabled()) {
log.debug("Creating new session to store CSRF nonce cache");
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org