Enforce Output of CSRF token.

[gigi.git] / src / org / cacert / gigi / output / Form.java

diff --git a/src/org/cacert/gigi/output/Form.java b/src/org/cacert/gigi/output/Form.java
index 9a27127c65e1c82b69f7ebb1e0103e76f3707b70..b86b6dcb7ea62d5f9301ee87b177eb2b3aa58339 100644 (file)
--- a/src/org/cacert/gigi/output/Form.java
+++ b/src/org/cacert/gigi/output/Form.java
@@ -1,14 +1,34 @@
 package org.cacert.gigi.output;
 
 import java.io.PrintWriter;
+import java.util.Map;
 
 import javax.servlet.ServletRequest;
 import javax.servlet.http.HttpServletRequest;
 
+import org.cacert.gigi.Language;
 import org.cacert.gigi.pages.Page;
+import org.cacert.gigi.util.RandomToken;
 
 public abstract class Form implements Outputable {
+       String csrf;
+       public Form() {
+               csrf = RandomToken.generateToken(32);
+       }
+
        public abstract boolean submit(PrintWriter out, HttpServletRequest req);
+       @Override
+       public final void output(PrintWriter out, Language l,
+                       Map<String, Object> vars) {
+               out.println("<form method='POST' autocomplete='off'>");
+               outputContent(out, l, vars);
+               out.println("<input type='csrf' value='");
+               out.print(getCSRFToken());
+               out.println("'></form>");
+       }
+
+       public abstract void outputContent(PrintWriter out, Language l,
+                       Map<String, Object> vars);
 
        protected void outputError(PrintWriter out, ServletRequest req, String text) {
                out.print("<div>");
@@ -16,4 +36,8 @@ public abstract class Form implements Outputable {
                out.println("</div>");
        }
 
+       public String getCSRFToken() {
+               return csrf;
+       }
+
 }