Enforce POST requests to only contain POST data.

[gigi.git] / src / org / cacert / gigi / Gigi.java

diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java
index 447e808a84fedebe57246d5cbe176a9619ab831a..9d1bb1b9afb4b84f56bae564ec02e7dc3fa47721 100644 (file)
--- a/src/org/cacert/gigi/Gigi.java
+++ b/src/org/cacert/gigi/Gigi.java
@@ -18,7 +18,7 @@ import org.cacert.gigi.email.EmailProvider;
 import org.cacert.gigi.output.Menu;
 import org.cacert.gigi.output.MenuItem;
 import org.cacert.gigi.output.Outputable;
-import org.cacert.gigi.output.Form.CSRFError;
+import org.cacert.gigi.output.Form.CSRFException;
 import org.cacert.gigi.output.template.Template;
 import org.cacert.gigi.pages.LoginPage;
 import org.cacert.gigi.pages.MainPage;
@@ -109,18 +109,21 @@ public class Gigi extends HttpServlet {
                                public void output(PrintWriter out, Language l, Map<String, Object> vars) {
                                        try {
                                                if (req.getMethod().equals("POST")) {
+                                                       if (req.getQueryString() != null) {
+                                                               return;
+                                                       }
                                                        p.doPost(req, resp);
                                                } else {
                                                        p.doGet(req, resp);
                                                }
-                                       } catch (IOException e) {
-                                               e.printStackTrace();
-                                       } catch (CSRFError err) {
+                                       } catch (CSRFException err) {
                                                try {
                                                        resp.sendError(500, "CSRF invalid");
                                                } catch (IOException e) {
                                                        e.printStackTrace();
                                                }
+                                       } catch (IOException e) {
+                                               e.printStackTrace();
                                        }
 
                                }