arina-ielchiieva commented on a change in pull request #1864: DRILL-7351: Added
tokens to Web forms to prevent CSRF attacks
URL: https://github.com/apache/drill/pull/1864#discussion_r330040097
##########
File path:
exec/java-exec/src/main/java/org/apache/drill/exec/util/Utilities.java
##########
@@ -137,4 +141,16 @@ public static JaninoRelMetadataProvider
registerJaninoRelMetadataProvider() {
RelMetadataQuery.THREAD_PROVIDERS.set(relMetadataProvider);
return relMetadataProvider;
}
+
+ /**
+ * Retrieves the CSRF protection token from the HTTP request
+ *
+ * @param request HTTP request that contains a session that stores a CSRF
protection token.
+ * If there is no session, that means that authentication is
disabled.
+ * @return CSRF protection token, or an empty string if there is no session
present.
+ */
+ public static String getCsrfTokenFromHttpRequest(HttpServletRequest request)
{
+ HttpSession session = request.getSession(false);
+ return session == null ? "" : (String)
session.getAttribute(WebServerConstants.CSRF_TOKEN);
Review comment:
Please see my comment above about returning safety of empty string.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
