DELTASPIKE-960 use maxWindowIdCount for window-id cookies
Project: http://git-wip-us.apache.org/repos/asf/deltaspike/repo Commit: http://git-wip-us.apache.org/repos/asf/deltaspike/commit/e0aabe00 Tree: http://git-wip-us.apache.org/repos/asf/deltaspike/tree/e0aabe00 Diff: http://git-wip-us.apache.org/repos/asf/deltaspike/diff/e0aabe00 Branch: refs/heads/master Commit: e0aabe00b3578fbe65095b34faf3533689c053c5 Parents: 104df5f Author: gpetracek <[email protected]> Authored: Sun Jul 19 15:03:32 2015 +0200 Committer: gpetracek <[email protected]> Committed: Sun Jul 19 17:18:43 2015 +0200 ---------------------------------------------------------------------- .../component/window/WindowIdHtmlRenderer.java | 29 ++++++++++++-------- 1 file changed, 17 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/deltaspike/blob/e0aabe00/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java ---------------------------------------------------------------------- diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java index 7cd2e03..6a2ea7a 100644 --- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java +++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java @@ -63,16 +63,13 @@ public class WindowIdHtmlRenderer extends Renderer ClientWindowConfig.ClientWindowRenderMode clientWindowRenderMode = clientWindowConfig.getClientWindowRenderMode(context); + boolean delegatedWindowMode = + ClientWindowConfig.ClientWindowRenderMode.DELEGATED.equals(clientWindowRenderMode); + // don't cut the windowId generated from JSF - if (!ClientWindowConfig.ClientWindowRenderMode.DELEGATED.equals(clientWindowRenderMode)) + if (!delegatedWindowMode) { - //already ensured by DefaultClientWindow - //just to ensure that we don't get a security issue in case of a customized client-window implementation - //will never happen usually -> no real overhead - if (windowId != null && windowId.length() > this.maxWindowIdCount) - { - windowId = windowId.substring(0, this.maxWindowIdCount); - } + windowId = secureWindowId(windowId); } ResponseWriter writer = context.getResponseWriter(); @@ -84,14 +81,13 @@ public class WindowIdHtmlRenderer extends Renderer writer.write("'storeWindowTree':'" + clientWindowConfig.isClientWindowStoreWindowTreeEnabled() + "'"); // see #729 - if (clientWindow.isInitialRedirectSupported(context)) + if (!delegatedWindowMode && clientWindow.isInitialRedirectSupported(context)) { Object cookie = ClientWindowHelper.getRequestWindowIdCookie(context, windowId); if (cookie != null && cookie instanceof Cookie) { Cookie servletCookie = (Cookie) cookie; - writer.write(",'initialRedirectWindowId':'" + servletCookie.getValue() + "'"); - + writer.write(",'initialRedirectWindowId':'" + secureWindowId(servletCookie.getValue()) + "'"); // expire/remove cookie servletCookie.setMaxAge(0); ((HttpServletResponse) context.getExternalContext().getResponse()).addCookie(servletCookie); @@ -103,6 +99,16 @@ public class WindowIdHtmlRenderer extends Renderer writer.endElement("script"); } + protected String secureWindowId(String windowId) + { + //restrict the length to prevent script-injection + if (windowId != null && windowId.length() > this.maxWindowIdCount) + { + windowId = windowId.substring(0, this.maxWindowIdCount); + } + return windowId; + } + private void lazyInit() { if (clientWindow == null) @@ -118,5 +124,4 @@ public class WindowIdHtmlRenderer extends Renderer } } } - }
