X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2Foutput%2FForm.java;h=11209ca51146769f15ec27654556db9343a80260;hb=02bd4aa9865e7a57c805ea11802729016d08ad49;hp=d321fc31238f76c151c4aae5cc74991ce9c1e051;hpb=2824d1c165c501e2f3a8809044788b33b81f478a;p=gigi.git diff --git a/src/org/cacert/gigi/output/Form.java b/src/org/cacert/gigi/output/Form.java index d321fc31..11209ca5 100644 --- a/src/org/cacert/gigi/output/Form.java +++ b/src/org/cacert/gigi/output/Form.java @@ -5,6 +5,7 @@ import java.util.Map; import javax.servlet.ServletRequest; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; import org.cacert.gigi.Language; import org.cacert.gigi.pages.Page; @@ -13,8 +14,11 @@ import org.cacert.gigi.util.RandomToken; public abstract class Form implements Outputable { String csrf; - public Form() { + public Form(HttpServletRequest hsr) { csrf = RandomToken.generateToken(32); + HttpSession hs = hsr.getSession(); + hs.setAttribute("form/" + getClass().getName() + "/" + csrf, this); + } public abstract boolean submit(PrintWriter out, HttpServletRequest req); @@ -23,7 +27,7 @@ public abstract class Form implements Outputable { public final void output(PrintWriter out, Language l, Map vars) { out.println("
"); outputContent(out, l, vars); - out.print("
"); } @@ -46,7 +50,23 @@ public abstract class Form implements Outputable { } } - public class CSRFError extends Error { + public static T getForm(HttpServletRequest req, Class target) { + String csrf = req.getParameter("csrf"); + if (csrf == null) { + throw new CSRFError(); + } + HttpSession hs = req.getSession(); + if (hs == null) { + throw new CSRFError(); + } + Form f = (Form) hs.getAttribute("form/" + target.getName() + "/" + csrf); + if (f == null) { + throw new CSRFError(); + } + return (T) f; + } + + public static class CSRFError extends Error { } }