Kohei Nozaki created ROL-2058:
---------------------------------
Summary: No salt renewal on POST request
Key: ROL-2058
URL: https://issues.apache.org/jira/browse/ROL-2058
Project: Apache Roller
Issue Type: Bug
Components: User Interface - General
Affects Versions: 5.1.1
Environment: WildFly 8.2.0.Final
Reporter: Kohei Nozaki
Assignee: Roller Unassigned
Roller continues using previous salt value which sent from client as POST
parameter. this leads fixing of salt value in the form element of html, and
brings ServletException("Security Violation") by ValidateSaltFilter at some use
cases (e.g. long-term editing over 60 minutes) unexpectedly.
Seems to that the cause is existence of
org.apache.roller.weblogger.ui.struts2.util.UIAction#setSalt(String) method.
this overwrites salt with previous value which sent by client as POST
parameter. it's unnecessary behavior because new salt value comes through
preceding invocation of UIAction#setRequest(Map).
Original discussion in the mailing list:
http://markmail.org/search/?q=list%3Aorg.apache.roller.user#query:list%3Aorg.apache.roller.user+page:1+mid:tnqn4qjuwmwun4oh+state:results
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
