Commit 8686ad88 authored by Dave Cridland's avatar Dave Cridland Committed by Guus der Kinderen

OF-777 Error message for CSRF failure

parent baf3ce2a
......@@ -832,6 +832,7 @@ global.no=No
global.unlimited=Unlimited
global.test=Test
global.click_test=Click to test...
global.csrf.failed=CSRF Error: No changes made, you'll need to retry.
# Group Chat Service Properties Page
......
......@@ -40,9 +40,11 @@
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
boolean csrfStatus = true;
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
submit = false;
csrfStatus = false;
}
csrfParam = StringUtils.randomString(16);
CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
......@@ -157,6 +159,19 @@
</div>
<br>
<% }%>
<% if (csrfStatus == false) { %>
<div class="jive-error">
<table cellpadding="0" cellspacing="0" border="0">
<tbody>
<tr><td class="jive-icon"><img src="images/error-16x16.gif" width="16" height="16" border="0" alt=""></td>
<td class="jive-icon-label">
<fmt:message key="global.csrf.failed" />
</td></tr>
</tbody>
</table>
</div><br>
<% } %>
<p>
<fmt:message key="client.features.info"/>
</p>
......
......@@ -78,12 +78,14 @@
boolean remove = request.getParameter("removeClient") != null;
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
boolean csrfStatus = true;
if (submit || addOther || remove) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
submit = false;
addOther = false;
remove = false;
csrfStatus = false;
}
}
csrfParam = StringUtils.randomString(16);
......@@ -252,6 +254,19 @@
</div>
<br>
<% }%>
<% if (csrfStatus == false) { %>
<div class="jive-error">
<table cellpadding="0" cellspacing="0" border="0">
<tbody>
<tr><td class="jive-icon"><img src="images/error-16x16.gif" width="16" height="16" border="0" alt=""></td>
<td class="jive-icon-label">
<fmt:message key="global.csrf.failed" />
</td></tr>
</tbody>
</table>
</div><br>
<% } %>
......
......@@ -63,11 +63,13 @@
Map<String,String> errors = new HashMap<String,String>();
Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
String csrfParam = ParamUtils.getParameter(request, "csrf");
boolean csrfStatus = true;
if (update) {
if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
update = false;
errors.put("csrf", "CSRF Failure!");
errors.put("csrf", "csrf");
csrfStatus = false;
}
}
csrfParam = StringUtils.randomString(16);
......@@ -163,6 +165,22 @@
</td></tr>
</tbody>
</table>
</div><br>
<%
}
else if (csrfStatus == false) {
%>
<div class="jive-error">
<table cellpadding="0" cellspacing="0" border="0">
<tbody>
<tr><td class="jive-icon"><img src="images/error-16x16.gif" width="16" height="16" border="0" alt=""></td>
<td class="jive-icon-label">
<fmt:message key="global.csrf.failed" />
</td></tr>
</tbody>
</table>
</div><br>
<%
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment