Repository: struts Updated Branches: refs/heads/master 08e181a4f -> fc6ffba9c
WW-4730 Uses session.getId().intern() to properly lock down session Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/fc6ffba9 Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/fc6ffba9 Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/fc6ffba9 Branch: refs/heads/master Commit: fc6ffba9cf08cbd709be89f7df3edc7475567e4e Parents: 08e181a Author: Lukasz Lenart <[email protected]> Authored: Mon Jan 9 11:52:30 2017 +0100 Committer: Lukasz Lenart <[email protected]> Committed: Mon Jan 9 11:52:30 2017 +0100 ---------------------------------------------------------------------- .../java/org/apache/struts2/interceptor/I18nInterceptor.java | 6 ++++-- .../java/org/apache/struts2/interceptor/TokenInterceptor.java | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/fc6ffba9/core/src/main/java/org/apache/struts2/interceptor/I18nInterceptor.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/struts2/interceptor/I18nInterceptor.java b/core/src/main/java/org/apache/struts2/interceptor/I18nInterceptor.java index 4d3bdf0..da7c6b7 100644 --- a/core/src/main/java/org/apache/struts2/interceptor/I18nInterceptor.java +++ b/core/src/main/java/org/apache/struts2/interceptor/I18nInterceptor.java @@ -221,7 +221,8 @@ public class I18nInterceptor extends AbstractInterceptor { Map<String, Object> session = invocation.getInvocationContext().getSession(); if (session != null) { - synchronized (session) { + String sessionId = ServletActionContext.getRequest().getSession().getId(); + synchronized (sessionId.intern()) { session.put(attributeName, locale); } } @@ -293,7 +294,8 @@ public class I18nInterceptor extends AbstractInterceptor { Map<String, Object> session = invocation.getInvocationContext().getSession(); if (session != null) { - synchronized (session) { + String sessionId = ServletActionContext.getRequest().getSession().getId(); + synchronized (sessionId.intern()) { Object sessionLocale = session.get(attributeName); if (sessionLocale != null && sessionLocale instanceof Locale) { Locale locale = (Locale) sessionLocale; http://git-wip-us.apache.org/repos/asf/struts/blob/fc6ffba9/core/src/main/java/org/apache/struts2/interceptor/TokenInterceptor.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/struts2/interceptor/TokenInterceptor.java b/core/src/main/java/org/apache/struts2/interceptor/TokenInterceptor.java index 7307c81..1361671 100644 --- a/core/src/main/java/org/apache/struts2/interceptor/TokenInterceptor.java +++ b/core/src/main/java/org/apache/struts2/interceptor/TokenInterceptor.java @@ -145,7 +145,7 @@ public class TokenInterceptor extends MethodFilterInterceptor { //see WW-2902: we need to use the real HttpSession here, as opposed to the map //that wraps the session, because a new wrap is created on every request HttpSession session = ServletActionContext.getRequest().getSession(true); - synchronized (session) { + synchronized (session.getId().intern()) { if (!TokenHelper.validToken()) { return handleInvalidToken(invocation); }
