[
https://issues.apache.org/jira/browse/ROL-2058?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Johnson closed ROL-2058.
------------------------------
5.1.2 released
> No salt renewal on POST request
> -------------------------------
>
> Key: ROL-2058
> URL: https://issues.apache.org/jira/browse/ROL-2058
> Project: Apache Roller
> Issue Type: Bug
> Components: User Interface - General
> Affects Versions: 5.1.1
> Environment: WildFly 8.2.0.Final
> Reporter: Kohei Nozaki
> Assignee: David Johnson
> Fix For: 5.1.2
>
> Attachments: ROL-2058.patch
>
>
> Roller continues using previous salt value which sent from client as POST
> parameter. this leads fixing of salt value in the form element of html, and
> brings ServletException("Security Violation") by ValidateSaltFilter at some
> use cases (e.g. long-term editing over 60 minutes) unexpectedly.
> Seems to that the cause is existence of
> org.apache.roller.weblogger.ui.struts2.util.UIAction#setSalt(String) method.
> this overwrites salt with previous value which sent by client as POST
> parameter. it's unnecessary behavior because new salt value comes through
> preceding invocation of UIAction#setRequest(Map).
> Original discussion in the mailing list:
> http://markmail.org/search/?q=list%3Aorg.apache.roller.user#query:list%3Aorg.apache.roller.user+page:1+mid:tnqn4qjuwmwun4oh+state:results
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
