You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/05/10 15:34:19 UTC
[tomcat] branch main updated (352a55934b -> d0971c3f07)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
from 352a55934b Fix copy/paste error
new 258162cf4b Clean up - no functional change
new cc36dd4bb3 Allow sub-class to decide if session being null is an issue or not
new d0971c3f07 Refactor calls to getNonceCache() so only called when necessary.
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../catalina/filters/CsrfPreventionFilter.java | 36 ++++++++++++++--------
1 file changed, 23 insertions(+), 13 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/03: Clean up - no functional change
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 258162cf4b8209060e8d85d2e289feeaad4c726a
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue May 10 16:13:31 2022 +0100
Clean up - no functional change
---
.../catalina/filters/CsrfPreventionFilter.java | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index 569f583617..fce6a99d96 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -123,11 +123,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
NonceCache<String> nonceCache = (session == null) ? null : getNonceCache(req, session);
if (!skipNonceCheck(req)) {
- String previousNonce =
- req.getParameter(nonceRequestParameterName);
+ String previousNonce = req.getParameter(nonceRequestParameterName);
- if(previousNonce == null) {
- if(log.isDebugEnabled()) {
+ if (previousNonce == null) {
+ if (log.isDebugEnabled()) {
log.debug("Rejecting request for " + getRequestedPath(req)
+ ", session "
+ (null == session ? "(none)" : session.getId())
@@ -136,8 +135,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
res.sendError(getDenyStatus());
return;
- } else if(nonceCache == null) {
- if(log.isDebugEnabled()) {
+ } else if (nonceCache == null) {
+ if (log.isDebugEnabled()) {
log.debug("Rejecting request for " + getRequestedPath(req)
+ ", session "
+ (null == session ? "(none)" : session.getId())
@@ -146,8 +145,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
res.sendError(getDenyStatus());
return;
- } else if(!nonceCache.contains(previousNonce)) {
- if(log.isDebugEnabled()) {
+ } else if (!nonceCache.contains(previousNonce)) {
+ if (log.isDebugEnabled()) {
log.debug("Rejecting request for " + getRequestedPath(req)
+ ", session "
+ (null == session ? "(none)" : session.getId())
@@ -157,7 +156,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
res.sendError(getDenyStatus());
return;
}
- if(log.isTraceEnabled()) {
+ if (log.isTraceEnabled()) {
log.trace("Allowing request to " + getRequestedPath(req)
+ " with valid CSRF nonce " + previousNonce);
}
@@ -165,12 +164,12 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
if (!skipNonceGeneration(req)) {
if (nonceCache == null) {
- if(log.isDebugEnabled()) {
+ if (log.isDebugEnabled()) {
log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId()));
}
if (session == null) {
- if(log.isDebugEnabled()) {
+ if (log.isDebugEnabled()) {
log.debug("Creating new session to store CSRF nonce cache");
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 03/03: Refactor calls to getNonceCache() so only called when necessary.
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit d0971c3f0781b37c2f3b3e0092587c69dd4e6fbd
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue May 10 16:33:51 2022 +0100
Refactor calls to getNonceCache() so only called when necessary.
---
java/org/apache/catalina/filters/CsrfPreventionFilter.java | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index 26c0fe3a5c..cde762e76b 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -120,9 +120,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
HttpSession session = req.getSession(false);
- NonceCache<String> nonceCache = getNonceCache(req, session);
+ boolean skipNonceCheck = skipNonceCheck(req);
+ NonceCache<String> nonceCache = null;
- if (!skipNonceCheck(req)) {
+ if (!skipNonceCheck) {
String previousNonce = req.getParameter(nonceRequestParameterName);
if (previousNonce == null) {
@@ -135,7 +136,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
res.sendError(getDenyStatus());
return;
- } else if (nonceCache == null) {
+ }
+
+ nonceCache = getNonceCache(req, session);
+ if (nonceCache == null) {
if (log.isDebugEnabled()) {
log.debug("Rejecting request for " + getRequestedPath(req)
+ ", session "
@@ -163,6 +167,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
}
if (!skipNonceGeneration(req)) {
+ if (skipNonceCheck) {
+ // Didn't look up nonce cache earlier so look it up now.
+ nonceCache = getNonceCache(req, session);
+ }
if (nonceCache == null) {
if (log.isDebugEnabled()) {
log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId()));
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/03: Allow sub-class to decide if session being null is an issue or not
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit cc36dd4bb334a86d5624892236e16adab0307900
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue May 10 16:14:51 2022 +0100
Allow sub-class to decide if session being null is an issue or not
---
java/org/apache/catalina/filters/CsrfPreventionFilter.java | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index fce6a99d96..26c0fe3a5c 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -120,7 +120,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
HttpSession session = req.getSession(false);
- NonceCache<String> nonceCache = (session == null) ? null : getNonceCache(req, session);
+ NonceCache<String> nonceCache = getNonceCache(req, session);
if (!skipNonceCheck(req)) {
String previousNonce = req.getParameter(nonceRequestParameterName);
@@ -265,6 +265,9 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
* and/or session
*/
protected NonceCache<String> getNonceCache(HttpServletRequest request, HttpSession session) {
+ if (session == null) {
+ return null;
+ }
@SuppressWarnings("unchecked")
NonceCache<String> nonceCache =
(NonceCache<String>) session.getAttribute(Constants.CSRF_NONCE_SESSION_ATTR_NAME);
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org