Author: kkolinko
Date: Tue Oct 2 18:40:22 2012
New Revision: 1393088
URL: http://svn.apache.org/viewvc?rev=1393088&view=rev
Log:
Merged revision 1393071 from tomcat/trunk:
Improve session management in CsrfPreventionFilter
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1393071
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=1393088&r1=1393087&r2=1393088&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
Tue Oct 2 18:40:22 2012
@@ -33,6 +33,7 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
+import javax.servlet.http.HttpSession;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
@@ -153,16 +154,19 @@ public class CsrfPreventionFilter extend
}
}
+ HttpSession session = req.getSession(false);
+
@SuppressWarnings("unchecked")
- LruCache<String> nonceCache =
- (LruCache<String>) req.getSession(true).getAttribute(
- Constants.CSRF_NONCE_SESSION_ATTR_NAME);
-
+ LruCache<String> nonceCache = (session == null) ? null
+ : (LruCache<String>) session.getAttribute(
+ Constants.CSRF_NONCE_SESSION_ATTR_NAME);
+
if (!skipNonceCheck) {
String previousNonce =
req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
- if (nonceCache != null && !nonceCache.contains(previousNonce))
{
+ if (nonceCache == null || previousNonce == null ||
+ !nonceCache.contains(previousNonce)) {
res.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
@@ -170,7 +174,10 @@ public class CsrfPreventionFilter extend
if (nonceCache == null) {
nonceCache = new LruCache<String>(nonceCacheSize);
- req.getSession().setAttribute(
+ if (session == null) {
+ session = req.getSession(true);
+ }
+ session.setAttribute(
Constants.CSRF_NONCE_SESSION_ATTR_NAME, nonceCache);
}
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1393088&r1=1393087&r2=1393088&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Tue Oct 2 18:40:22 2012
@@ -53,7 +53,17 @@
They eventually become mixed with the numbered issues. (I.e., numbered
issues to not "pop up" wrt. others).
-->
-<section name="Tomcat 7.0.31 (markt)">
+<section name="Tomcat 7.0.32 (markt)">
+ <subsection name="Catalina">
+ <changelog>
+ <fix>
+ Improve session management in <code>CsrfPreventionFilter</code>.
+ (kkolinko)
+ </fix>
+ </changelog>
+ </subsection>
+</section>
+<section name="Tomcat 7.0.31 (markt)" rtext="not released">
<subsection name="Catalina">
<changelog>
<update>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
