X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2FGigi.java;h=d584cd0956b3e68446fb0eb37b546ea25be1c035;hb=2cbe88c14309c3a10dab336cb395c3e995d81ec5;hp=4f51029c45b7f2db61441ac9e8b59241783ecc96;hpb=e76545ff41616858934e3ed8894bc1de902a039f;p=gigi.git

diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java
index 4f51029c..d584cd09 100644
--- a/src/org/cacert/gigi/Gigi.java
+++ b/src/org/cacert/gigi/Gigi.java
@@ -1,7 +1,6 @@
 package org.cacert.gigi;
 
 import java.io.IOException;
-import java.io.InputStreamReader;
 import java.io.PrintWriter;
 import java.util.Calendar;
 import java.util.HashMap;
@@ -19,17 +18,19 @@ import org.cacert.gigi.email.EmailProvider;
 import org.cacert.gigi.output.Menu;
 import org.cacert.gigi.output.MenuItem;
 import org.cacert.gigi.output.Outputable;
-import org.cacert.gigi.output.Template;
+import org.cacert.gigi.output.Form.CSRFException;
+import org.cacert.gigi.output.template.Template;
 import org.cacert.gigi.pages.LoginPage;
 import org.cacert.gigi.pages.MainPage;
 import org.cacert.gigi.pages.Page;
 import org.cacert.gigi.pages.TestSecure;
 import org.cacert.gigi.pages.Verify;
 import org.cacert.gigi.pages.account.ChangePasswordPage;
-import org.cacert.gigi.pages.account.MailAdd;
+import org.cacert.gigi.pages.account.MailCertificateAdd;
 import org.cacert.gigi.pages.account.MailCertificates;
 import org.cacert.gigi.pages.account.MailOverview;
 import org.cacert.gigi.pages.account.MyDetails;
+import org.cacert.gigi.pages.error.PageNotFound;
 import org.cacert.gigi.pages.main.RegisterPage;
 import org.cacert.gigi.pages.wot.AssurePage;
 import org.cacert.gigi.util.ServerConstants;
@@ -46,38 +47,36 @@ public class Gigi extends HttpServlet {
 		EmailProvider.init(conf);
 		DatabaseConnection.init(conf);
 	}
+
 	@Override
 	public void init() throws ServletException {
+		pages.put("/error", new PageNotFound());
 		pages.put("/login", new LoginPage("CACert - Login"));
 		pages.put("/", new MainPage("CACert - Home"));
 		pages.put("/secure", new TestSecure());
 		pages.put(Verify.PATH, new Verify());
 		pages.put(AssurePage.PATH + "/*", new AssurePage());
-		pages.put(MailCertificates.PATH, new MailCertificates());
+		pages.put(MailCertificates.PATH + "/*", new MailCertificates());
 		pages.put(MyDetails.PATH, new MyDetails());
 		pages.put(ChangePasswordPage.PATH, new ChangePasswordPage());
 		pages.put(RegisterPage.PATH, new RegisterPage());
-		pages.put(MailOverview.DEFAULT_PATH, new MailOverview(
-				"My email addresses"));
-		pages.put(MailAdd.DEFAULT_PATH, new MailAdd("Add new email"));
-		baseTemplate = new Template(new InputStreamReader(
-				Gigi.class.getResourceAsStream("Gigi.templ")));
-		m = new Menu("Certificates", "cert", new MenuItem(
-				MailOverview.DEFAULT_PATH, "Emails"), new MenuItem("",
-				"Client Certificates"), new MenuItem("", "Domains"),
-				new MenuItem("", "Server Certificates"));
+		pages.put(MailCertificateAdd.PATH, new MailCertificateAdd());
+		pages.put(MailOverview.DEFAULT_PATH, new MailOverview("My email addresses"));
+		baseTemplate = new Template(Gigi.class.getResource("Gigi.templ"));
+		m = new Menu("Certificates", "cert", new MenuItem(MailOverview.DEFAULT_PATH, "Emails"), new MenuItem("",
+			"Client Certificates"), new MenuItem("", "Domains"), new MenuItem("", "Server Certificates"));
 		super.init();
 
 	}
+
 	@Override
-	protected void service(final HttpServletRequest req,
-			final HttpServletResponse resp) throws ServletException,
-			IOException {
+	protected void service(final HttpServletRequest req, final HttpServletResponse resp) throws ServletException,
+		IOException {
 		addXSSHeaders(resp);
-		if (req.getHeader("Origin") != null) {
-			resp.getWriter().println("No cross domain access allowed.");
-			return;
-		}
+		// if (req.getHeader("Origin") != null) {
+		// resp.getWriter().println("No cross domain access allowed.");
+		// return;
+		// }
 		HttpSession hs = req.getSession();
 		if (req.getPathInfo() != null && req.getPathInfo().equals("/logout")) {
 			if (hs != null) {
@@ -107,14 +106,19 @@ public class Gigi extends HttpServlet {
 			Outputable content = new Outputable() {
 
 				@Override
-				public void output(PrintWriter out, Language l,
-						Map<String, Object> vars) {
+				public void output(PrintWriter out, Language l, Map<String, Object> vars) {
 					try {
 						if (req.getMethod().equals("POST")) {
 							p.doPost(req, resp);
 						} else {
 							p.doGet(req, resp);
 						}
+					} catch (CSRFException err) {
+						try {
+							resp.sendError(500, "CSRF invalid");
+						} catch (IOException e) {
+							e.printStackTrace();
+						}
 					} catch (IOException e) {
 						e.printStackTrace();
 					}
@@ -132,6 +136,7 @@ public class Gigi extends HttpServlet {
 		}
 
 	}
+
 	private Page getPage(String pathInfo) {
 		if (pathInfo.endsWith("/") && !pathInfo.equals("/")) {
 			pathInfo = pathInfo.substring(0, pathInfo.length() - 1);
@@ -156,32 +161,28 @@ public class Gigi extends HttpServlet {
 	}
 
 	public static void addXSSHeaders(HttpServletResponse hsr) {
-		hsr.addHeader("Access-Control-Allow-Origin", "https://"
-				+ ServerConstants.getWwwHostNamePort() + " https://"
-				+ ServerConstants.getSecureHostNamePort());
+		hsr.addHeader("Access-Control-Allow-Origin", "https://" + ServerConstants.getWwwHostNamePort() + " https://"
+			+ ServerConstants.getSecureHostNamePort());
 		hsr.addHeader("Access-Control-Max-Age", "60");
 
 		hsr.addHeader("Content-Security-Policy", getDefaultCSP());
 		hsr.addHeader("Strict-Transport-Security", "max-age=31536000");
 
 	}
+
 	private static String defaultCSP = null;
+
 	private static String getDefaultCSP() {
 		if (defaultCSP == null) {
 			StringBuffer csp = new StringBuffer();
 			csp.append("default-src 'none';");
-			csp.append("font-src https://"
-					+ ServerConstants.getStaticHostNamePort());
-			csp.append(";img-src https://"
-					+ ServerConstants.getStaticHostNamePort());
+			csp.append("font-src https://" + ServerConstants.getStaticHostNamePort());
+			csp.append(";img-src https://" + ServerConstants.getStaticHostNamePort());
 			csp.append(";media-src 'none'; object-src 'none';");
-			csp.append("script-src https://"
-					+ ServerConstants.getStaticHostNamePort());
-			csp.append(";style-src https://"
-					+ ServerConstants.getStaticHostNamePort());
-			csp.append(";form-action https://"
-					+ ServerConstants.getSecureHostNamePort() + " https://"
-					+ ServerConstants.getWwwHostNamePort());
+			csp.append("script-src https://" + ServerConstants.getStaticHostNamePort());
+			csp.append(";style-src https://" + ServerConstants.getStaticHostNamePort());
+			csp.append(";form-action https://" + ServerConstants.getSecureHostNamePort() + " https://"
+				+ ServerConstants.getWwwHostNamePort());
 			csp.append("report-url https://api.cacert.org/security/csp/report");
 			defaultCSP = csp.toString();
 		}