Author: gmazza
Date: Sun Mar 16 02:28:56 2014
New Revision: 1577966
URL: http://svn.apache.org/r1577966
Log:
ROL-1992 fix security error for blogroll opml import page.
Modified:
roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/core/filters/ValidateSaltFilter.java
roller/trunk/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
Modified:
roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/core/filters/ValidateSaltFilter.java
URL:
http://svn.apache.org/viewvc/roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/core/filters/ValidateSaltFilter.java?rev=1577966&r1=1577965&r2=1577966&view=diff
==============================================================================
---
roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/core/filters/ValidateSaltFilter.java
(original)
+++
roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/core/filters/ValidateSaltFilter.java
Sun Mar 16 02:28:56 2014
@@ -47,10 +47,11 @@ public class ValidateSaltFilter implemen
FilterChain chain) throws IOException, ServletException
{
HttpServletRequest httpReq = (HttpServletRequest) request;
- // TODO multipart/form-data does not send parameters
+ // note enctype="multipart/form-data" does not send parameters (see
ROL-1956)
+ // requests of this type are stored in salt.ignored.urls in
roller.properties
if (httpReq.getMethod().equals("POST") &&
!isIgnoredURL(((HttpServletRequest)
request).getServletPath())) {
- String salt = (String) httpReq.getParameter("salt");
+ String salt = httpReq.getParameter("salt");
SaltCache saltCache = SaltCache.getInstance();
if (salt == null || saltCache.get(salt) == null
|| saltCache.get(salt).equals(false)) {
@@ -64,7 +65,7 @@ public class ValidateSaltFilter implemen
// @Override
public void init(FilterConfig filterConfig) throws ServletException {
- // Construct our list of ignord urls
+ // Construct our list of ignored urls
String urls = WebloggerConfig.getProperty("salt.ignored.urls");
String[] urlsArray =
StringUtils.stripAll(StringUtils.split(urls, ","));
for (int i = 0; i < urlsArray.length; i++) {
@@ -77,7 +78,7 @@ public class ValidateSaltFilter implemen
}
/**
- * Checks if this is an ignored url.
+ * Checks if this is an ignored url defined in the salt.ignored.urls
property
*
* @param theUrl
* the the url
Modified:
roller/trunk/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
URL:
http://svn.apache.org/viewvc/roller/trunk/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties?rev=1577966&r1=1577965&r2=1577966&view=diff
==============================================================================
---
roller/trunk/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
(original)
+++
roller/trunk/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
Sun Mar 16 02:28:56 2014
@@ -408,7 +408,7 @@ schemeenforcement.https.urls=/roller_j_s
schemeenforcement.https.ignored=css,gif,png,js
# Ignored urls for salt. These are for multipart/form-data submissions as we
do not get any parameters
-salt.ignored.urls=mediaFileAdd!save.rol,mediaFileEdit!save.rol
+salt.ignored.urls=mediaFileAdd!save.rol,mediaFileEdit!save.rol,bookmarksImport!save.rol
#----------------------------------
# Single-Sign-On
