Fix test for csrf.

author Felix Dörre <felix@dogcraft.de>

Wed, 9 Jul 2014 23:21:07 +0000 (01:21 +0200)

committer Felix Dörre <felix@dogcraft.de>

Thu, 10 Jul 2014 22:35:16 +0000 (00:35 +0200)
author Felix Dörre <felix@dogcraft.de>
Wed, 9 Jul 2014 23:21:07 +0000 (01:21 +0200)
committer Felix Dörre <felix@dogcraft.de>
Thu, 10 Jul 2014 22:35:16 +0000 (00:35 +0200)
diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java

index a0f8671a190f220d3ce6e780eae52998ad1b9f26..c49cdcbbe673a92888321b8ff94d300773115e12 100644 (file)
--- a/src/org/cacert/gigi/Gigi.java
+++ b/src/org/cacert/gigi/Gigi.java
@@ -20,6 +20,7 @@ import org.cacert.gigi.output.Menu;
  import org.cacert.gigi.output.MenuItem;
  import org.cacert.gigi.output.Outputable;
  import org.cacert.gigi.output.Template;
+import org.cacert.gigi.output.Form.CSRFError;
  import org.cacert.gigi.pages.LoginPage;
  import org.cacert.gigi.pages.MainPage;
  import org.cacert.gigi.pages.Page;
@@ -113,6 +114,12 @@ public class Gigi extends HttpServlet {
                                                 }
                                         } catch (IOException e) {
                                                 e.printStackTrace();
+                                       } catch (CSRFError err) {
+                                               try {
+                                                       resp.sendError(500, "CSRF invalid");
+                                               } catch (IOException e) {
+                                                       e.printStackTrace();
+                                               }
                                         }
  
                                 }
diff --git a/src/org/cacert/gigi/output/Form.java b/src/org/cacert/gigi/output/Form.java

index 16440cc3213e8a64ec306c568f38d4d2a4342ab1..11209ca51146769f15ec27654556db9343a80260 100644 (file)
--- a/src/org/cacert/gigi/output/Form.java
+++ b/src/org/cacert/gigi/output/Form.java
@@ -60,6 +60,9 @@ public abstract class Form implements Outputable {
                         throw new CSRFError();
                 }
                 Form f = (Form) hs.getAttribute("form/" + target.getName() + "/" + csrf);
+               if (f == null) {
+                       throw new CSRFError();
+               }
                 return (T) f;
         }
  
diff --git a/src/org/cacert/gigi/pages/main/RegisterPage.java b/src/org/cacert/gigi/pages/main/RegisterPage.java

index b80429fb72ff753c89a782172fb08c3c803f0dc4..e243c2875f92e826ac4ed21acb5adbaabed894b7 100644 (file)
--- a/src/org/cacert/gigi/pages/main/RegisterPage.java
+++ b/src/org/cacert/gigi/pages/main/RegisterPage.java
@@ -22,10 +22,14 @@ public class RegisterPage extends Page {
  
         @Override
         public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+               Signup s = new Signup(req);
+               outputGet(req, resp, s);
+       }
+
+       private void outputGet(HttpServletRequest req, HttpServletResponse resp, Signup s) throws IOException {
                 PrintWriter out = resp.getWriter();
                 HashMap<String, Object> vars = new HashMap<String, Object>();
                 getDefaultTemplate().output(out, getLanguage(req), vars);
-               Signup s = new Signup(req);
                 s.output(out, getLanguage(req), vars);
         }
  
@@ -45,7 +49,7 @@ public class RegisterPage extends Page {
                         return;
                 }
  
-               super.doPost(req, resp);
+               outputGet(req, resp, s);
         }
  
         @Override
diff --git a/tests/org/cacert/gigi/testUtils/ManagedTest.java b/tests/org/cacert/gigi/testUtils/ManagedTest.java

index 880f600631fa7a77c2b976d23bdfd5ae8039126f..2d6631ef0312349e25c26753f4d390bfe75cae4e 100644 (file)
--- a/tests/org/cacert/gigi/testUtils/ManagedTest.java
+++ b/tests/org/cacert/gigi/testUtils/ManagedTest.java
@@ -151,10 +151,17 @@ public class ManagedTest {
         }
  
         public String runRegister(String param) throws IOException {
-               HttpURLConnection uc = (HttpURLConnection) new URL("https://" + getServerName() + registerService)
-                       .openConnection();
+               URL regist = new URL("https://" + getServerName() + registerService);
+               HttpURLConnection uc = (HttpURLConnection) regist.openConnection();
+               HttpURLConnection csrfConn = (HttpURLConnection) regist.openConnection();
+
+               String headerField = csrfConn.getHeaderField("Set-Cookie");
+               headerField = headerField.substring(0, headerField.indexOf(';'));
+
+               String csrf = getCSRF(csrfConn);
+               uc.addRequestProperty("Cookie", headerField);
                 uc.setDoOutput(true);
-               uc.getOutputStream().write(param.getBytes());
+               uc.getOutputStream().write((param + "&csrf=" + csrf).getBytes());
                 String d = IOUtils.readURL(uc);
                 return d;
         }
@@ -261,10 +268,10 @@ public class ManagedTest {
  
         public String getCSRF(URLConnection u) throws IOException {
                 String content = IOUtils.readURL(u);
-               Pattern p = Pattern.compile("<input type='csrf' value='([^']+)'>");
+               Pattern p = Pattern.compile("<input type='hidden' name='csrf' value='([^']+)'>");
                 Matcher m = p.matcher(content);
                 if (!m.find()) {
-                       throw new Error("New CSRF Token");
+                       throw new Error("No CSRF Token");
                 }
                 return m.group(1);
         }
author	Felix Dörre <felix@dogcraft.de>
	Wed, 9 Jul 2014 23:21:07 +0000 (01:21 +0200)
committer	Felix Dörre <felix@dogcraft.de>
	Thu, 10 Jul 2014 22:35:16 +0000 (00:35 +0200)
src/org/cacert/gigi/Gigi.java		patch \| blob \| history
src/org/cacert/gigi/output/Form.java		patch \| blob \| history
src/org/cacert/gigi/pages/main/RegisterPage.java		patch \| blob \| history
tests/org/cacert/gigi/testUtils/ManagedTest.java		patch \| blob \| history