echelon/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

* Console:

Browse Source 
- Store form handler nonces in the servlet session instead of system properties,
    to prevent cross-session interference
This commit is contained in:
zzz
2012-10-20 21:28:17 +00:00
parent 429739837b
commit 68814e31e7
2 changed files with 22 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
apps/routerconsole/jsp/formhandler.jsi
View File

@ -15,6 +15,14 @@
// Prevents any saves via GET
formhandler.storeMethod(request.getMethod());
// Store the nonces for verification
String klass = getClass().getName();
String nonceAttr1 = klass + ".nonce";
String nonceAttr2 = nonceAttr1 + "Prev";
String nonce1 = (String) session.getAttribute(nonceAttr1);
String nonce2 = (String) session.getAttribute(nonceAttr2);
formhandler.storeNonces(nonce1, nonce2);
// Put all the params in the map, some handlers use this instead of individual setters
// We also call all of the setters below.
formhandler.setSettings(request.getParameterMap());
@ -29,5 +37,7 @@
// This shuffles down the nonces, so it must be after getAllMessages() above,
// since it does the form validation.
String pageNonce = formhandler.getNewNonce();
session.setAttribute(nonceAttr2, nonce1);
session.setAttribute(nonceAttr1, pageNonce);
%>