You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/07/10 18:10:33 UTC
svn commit: r962865 - in /tomcat/trunk:
java/org/apache/catalina/filters/CsrfPreventionFilter.java
webapps/docs/changelog.xml
Author: markt
Date: Sat Jul 10 16:10:33 2010
New Revision: 962865
URL: http://svn.apache.org/viewvc?rev=962865&view=rev
Log:
Improve CSRF protection filter by using SecureRandom rather than Random
Modified:
tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=962865&r1=962864&r2=962865&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Sat Jul 10 16:10:33 2010
@@ -18,6 +18,7 @@
package org.apache.catalina.filters;
import java.io.IOException;
+import java.security.SecureRandom;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map;
@@ -50,7 +51,7 @@ public class CsrfPreventionFilter extend
private static final Log log =
LogFactory.getLog(CsrfPreventionFilter.class);
- private final Random randomSource = new Random();
+ private final Random randomSource = new SecureRandom();
private final Set<String> entryPoints = new HashSet<String>();
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=962865&r1=962864&r2=962865&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat Jul 10 16:10:33 2010
@@ -130,6 +130,10 @@
Include session ID in error message logged when trying to set an
attribute on an invalid session. (markt)
</add>
+ <fix>
+ Improve the CSRF protection filter by using SecureRandom rather than
+ Random to generate nonces. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org