OF-777: CSRF value must be included in form.

This fixes a bug where the EmailService settings could not be changed through the admin panel. Note that this is introduced in the same version of Openfire (4.1.0) as that will include this commit.

OF-777: CSRF value must be included in form.
This fixes a bug where the EmailService settings could not be changed through the admin panel. Note that this is introduced in the same version of Openfire (4.1.0) as that will include this commit.
1c3e1372 · Guus der Kinderen · 0b0dc85e · 1c3e1372
Unverified Commit 1c3e1372 authored Sep 26, 2016 by Guus der Kinderen
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

system-email.jsp src/web/system-email.jsp +4 -2

No files found.
--- a/src/web/system-email.jsp
+++ b/src/web/system-email.jsp
@@ -39,8 +39,11 @@
    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
    String csrfParam = ParamUtils.getParameter(request, "csrf");
+    Map<String,String> errors = new HashMap<String,String>();
    if (save) {
        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            errors.put("csrf", "CSRF Failure!");
            save = false;
        }
    }
@@ -55,7 +58,6 @@
    EmailService service = EmailService.getInstance();
    // Save the email settings if requested
-    Map<String,String> errors = new HashMap<String,String>();
    if (save) {
        if (host != null) {
            service.setHost(host);
@@ -234,7 +236,7 @@
 		</tr>
 		</table>
 	</div>
+<input type="hidden" name="csrf" value="${csrf}"/>
 <input type="submit" name="save" value="<fmt:message key="system.email.save" />">
 <input type="submit" name="test" value="<fmt:message key="system.email.send_test" />">
 </form>