import org.cacert.gigi.output.MenuItem;
import org.cacert.gigi.output.Outputable;
import org.cacert.gigi.output.Template;
+import org.cacert.gigi.output.Form.CSRFError;
import org.cacert.gigi.pages.LoginPage;
import org.cacert.gigi.pages.MainPage;
import org.cacert.gigi.pages.Page;
}
} catch (IOException e) {
e.printStackTrace();
+ } catch (CSRFError err) {
+ try {
+ resp.sendError(500, "CSRF invalid");
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
}
}
throw new CSRFError();
}
Form f = (Form) hs.getAttribute("form/" + target.getName() + "/" + csrf);
+ if (f == null) {
+ throw new CSRFError();
+ }
return (T) f;
}
@Override
public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ Signup s = new Signup(req);
+ outputGet(req, resp, s);
+ }
+
+ private void outputGet(HttpServletRequest req, HttpServletResponse resp, Signup s) throws IOException {
PrintWriter out = resp.getWriter();
HashMap<String, Object> vars = new HashMap<String, Object>();
getDefaultTemplate().output(out, getLanguage(req), vars);
- Signup s = new Signup(req);
s.output(out, getLanguage(req), vars);
}
return;
}
- super.doPost(req, resp);
+ outputGet(req, resp, s);
}
@Override
}
public String runRegister(String param) throws IOException {
- HttpURLConnection uc = (HttpURLConnection) new URL("https://" + getServerName() + registerService)
- .openConnection();
+ URL regist = new URL("https://" + getServerName() + registerService);
+ HttpURLConnection uc = (HttpURLConnection) regist.openConnection();
+ HttpURLConnection csrfConn = (HttpURLConnection) regist.openConnection();
+
+ String headerField = csrfConn.getHeaderField("Set-Cookie");
+ headerField = headerField.substring(0, headerField.indexOf(';'));
+
+ String csrf = getCSRF(csrfConn);
+ uc.addRequestProperty("Cookie", headerField);
uc.setDoOutput(true);
- uc.getOutputStream().write(param.getBytes());
+ uc.getOutputStream().write((param + "&csrf=" + csrf).getBytes());
String d = IOUtils.readURL(uc);
return d;
}
public String getCSRF(URLConnection u) throws IOException {
String content = IOUtils.readURL(u);
- Pattern p = Pattern.compile("<input type='csrf' value='([^']+)'>");
+ Pattern p = Pattern.compile("<input type='hidden' name='csrf' value='([^']+)'>");
Matcher m = p.matcher(content);
if (!m.find()) {
- throw new Error("New CSRF Token");
+ throw new Error("No CSRF Token");
}
return m.group(1);
}