You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/07/10 18:10:33 UTC

svn commit: r962865 - in /tomcat/trunk: java/org/apache/catalina/filters/CsrfPreventionFilter.java webapps/docs/changelog.xml

Author: markt
Date: Sat Jul 10 16:10:33 2010
New Revision: 962865

URL: http://svn.apache.org/viewvc?rev=962865&view=rev
Log:
Improve CSRF protection filter by using SecureRandom rather than Random

Modified:
    tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=962865&r1=962864&r2=962865&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Sat Jul 10 16:10:33 2010
@@ -18,6 +18,7 @@
 package org.apache.catalina.filters;
 
 import java.io.IOException;
+import java.security.SecureRandom;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
@@ -50,7 +51,7 @@ public class CsrfPreventionFilter extend
     private static final Log log =
         LogFactory.getLog(CsrfPreventionFilter.class);
     
-    private final Random randomSource = new Random();
+    private final Random randomSource = new SecureRandom();
 
     private final Set<String> entryPoints = new HashSet<String>();
     

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=962865&r1=962864&r2=962865&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat Jul 10 16:10:33 2010
@@ -130,6 +130,10 @@
         Include session ID in error message logged when trying to set an
         attribute on an invalid session. (markt)
       </add>
+      <fix>
+        Improve the CSRF protection filter by using SecureRandom rather than
+        Random to generate nonces. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org