1 |
|
2 |
http://svn.apache.org/viewvc?view=revision&revision=1394456 |
3 |
|
4 |
--- java/org/apache/catalina/filters/CsrfPreventionFilter.java 2011-11-28 11:22:45.000000000 +0100 |
5 |
+++ java/org/apache/catalina/filters/CsrfPreventionFilter.java.oden 2012-12-31 11:15:30.604179520 +0100 |
6 |
@@ -33,6 +33,7 @@ import javax.servlet.ServletResponse; |
7 |
import javax.servlet.http.HttpServletRequest; |
8 |
import javax.servlet.http.HttpServletResponse; |
9 |
import javax.servlet.http.HttpServletResponseWrapper; |
10 |
+import javax.servlet.http.HttpSession; |
11 |
|
12 |
import org.apache.juli.logging.Log; |
13 |
import org.apache.juli.logging.LogFactory; |
14 |
@@ -153,16 +154,19 @@ public class CsrfPreventionFilter extend |
15 |
} |
16 |
} |
17 |
|
18 |
+ HttpSession session = req.getSession(false); |
19 |
+ |
20 |
@SuppressWarnings("unchecked") |
21 |
- LruCache<String> nonceCache = |
22 |
- (LruCache<String>) req.getSession(true).getAttribute( |
23 |
- Constants.CSRF_NONCE_SESSION_ATTR_NAME); |
24 |
- |
25 |
+ LruCache<String> nonceCache = (session == null) ? null |
26 |
+ : (LruCache<String>) session.getAttribute( |
27 |
+ Constants.CSRF_NONCE_SESSION_ATTR_NAME); |
28 |
+ |
29 |
if (!skipNonceCheck) { |
30 |
String previousNonce = |
31 |
req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM); |
32 |
|
33 |
- if (nonceCache != null && !nonceCache.contains(previousNonce)) { |
34 |
+ if (nonceCache == null || previousNonce == null || |
35 |
+ !nonceCache.contains(previousNonce)) { |
36 |
res.sendError(HttpServletResponse.SC_FORBIDDEN); |
37 |
return; |
38 |
} |
39 |
@@ -170,7 +174,10 @@ public class CsrfPreventionFilter extend |
40 |
|
41 |
if (nonceCache == null) { |
42 |
nonceCache = new LruCache<String>(nonceCacheSize); |
43 |
- req.getSession().setAttribute( |
44 |
+ if (session == null) { |
45 |
+ session = req.getSession(true); |
46 |
+ } |
47 |
+ session.setAttribute( |
48 |
Constants.CSRF_NONCE_SESSION_ATTR_NAME, nonceCache); |
49 |
} |
50 |
|