https://bz.apache.org/bugzilla/show_bug.cgi?id=65853
--- Comment #16 from Mark Thomas <ma...@apache.org> --- (In reply to Marvin Fröhlich from comment #15) > For one there is no need to call getNonceCache(req), if both > skipNonceCheck(req) and skipNonceGeneration(req) return true. For us is is > actually malicious, because in these cases a new cache instance is created, > that hurts later. I suggest to skip the block 166 to 180, if both extension > points return true. Do you mean there is no need to call createNoneCache() since that is what happens in lines 166-180? I think it is sufficient to make the test at line 166 if (nonceCache == null && !skipNonceGeneration(req)) If skipNonceCheck(req) is false and nonceCache is null the method will have already exited so there is no need to check it at line 166. > And much less minor: If skipNonceGeneration(req) is true, wRequest remains > null and is later passed into chain.doFilter(request, wRequest). It must > fallback to response in this case. > > Maybe it wouldn't hurt to change line 204 like this: > > chain.doFilter(request, wResponse != null ? wResponse : response); Done. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
