[tomcat] branch 10.0.x updated: BZ 65853 - Add an additional extension point

Mon, 09 May 2022 12:38:20 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.0.x by this push:
     new fb05ad25c3 BZ 65853 - Add an additional extension point
fb05ad25c3 is described below

commit fb05ad25c3d7cb2cf7074c3cfb455f984ac04c16
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon May 9 20:37:52 2022 +0100

    BZ 65853 - Add an additional extension point
---
 .../catalina/filters/CsrfPreventionFilter.java     | 32 +++++++++++++++++-----
 1 file changed, 25 insertions(+), 7 deletions(-)

diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java 
b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index 7f0e0dbe86..6a54693856 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -179,16 +179,18 @@ public class CsrfPreventionFilter extends 
CsrfPreventionFilterBase {
                 nonceCache = createNonceCache(req, session);
             }
 
-            String newNonce = generateNonce(req);
+            if (!skipNonceGeneration(req)) {
+                String newNonce = generateNonce(req);
 
-            nonceCache.add(newNonce);
+                nonceCache.add(newNonce);
 
-            // Take this request's nonce and put it into the request
-            // attributes so pages can make direct use of it, rather than
-            // requiring the use of response.encodeURL.
-            request.setAttribute(Constants.CSRF_NONCE_REQUEST_ATTR_NAME, 
newNonce);
+                // Take this request's nonce and put it into the request
+                // attributes so pages can make direct use of it, rather than
+                // requiring the use of response.encodeURL.
+                request.setAttribute(Constants.CSRF_NONCE_REQUEST_ATTR_NAME, 
newNonce);
 
-            wResponse = new CsrfResponseWrapper(res, 
nonceRequestParameterName, newNonce);
+                wResponse = new CsrfResponseWrapper(res, 
nonceRequestParameterName, newNonce);
+            }
         } else {
             wResponse = response;
         }
@@ -216,6 +218,22 @@ public class CsrfPreventionFilter extends 
CsrfPreventionFilterBase {
     }
 
 
+    /**
+     * Determines whether a nonce should be created. This method is provided
+     * primarily for the benefit of sub-classes that wish to customise this
+     * behaviour.
+     *
+     * @param request   The request that triggered the need to potentially
+     *                      create the nonce.
+     *
+     * @return {@code true} if a nonce should be created, otherwise
+     *              {@code false}
+     */
+    protected boolean skipNonceGeneration(HttpServletRequest request) {
+        return false;
+    }
+
+
     /**
      * Create a new {@link NonceCache} and store in the {@link HttpSession}.
      * This method is provided primarily for the benefit of sub-classes that


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to