Convert CSRF-Problems to Exceptions.

author Felix Dörre <felix@dogcraft.de>

Thu, 17 Jul 2014 21:58:54 +0000 (23:58 +0200)

committer Felix Dörre <felix@dogcraft.de>

Thu, 17 Jul 2014 21:58:54 +0000 (23:58 +0200)
author Felix Dörre <felix@dogcraft.de>
Thu, 17 Jul 2014 21:58:54 +0000 (23:58 +0200)
committer Felix Dörre <felix@dogcraft.de>
Thu, 17 Jul 2014 21:58:54 +0000 (23:58 +0200)
diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java

index 447e808a84fedebe57246d5cbe176a9619ab831a..d584cd0956b3e68446fb0eb37b546ea25be1c035 100644 (file)
--- a/src/org/cacert/gigi/Gigi.java
+++ b/src/org/cacert/gigi/Gigi.java
@@ -18,7 +18,7 @@ import org.cacert.gigi.email.EmailProvider;
  import org.cacert.gigi.output.Menu;
  import org.cacert.gigi.output.MenuItem;
  import org.cacert.gigi.output.Outputable;
-import org.cacert.gigi.output.Form.CSRFError;
+import org.cacert.gigi.output.Form.CSRFException;
  import org.cacert.gigi.output.template.Template;
  import org.cacert.gigi.pages.LoginPage;
  import org.cacert.gigi.pages.MainPage;
@@ -113,14 +113,14 @@ public class Gigi extends HttpServlet {
                                                 } else {
                                                         p.doGet(req, resp);
                                                 }
-                                       } catch (IOException e) {
-                                               e.printStackTrace();
-                                       } catch (CSRFError err) {
+                                       } catch (CSRFException err) {
                                                 try {
                                                         resp.sendError(500, "CSRF invalid");
                                                 } catch (IOException e) {
                                                         e.printStackTrace();
                                                 }
+                                       } catch (IOException e) {
+                                               e.printStackTrace();
                                         }
  
                                 }
diff --git a/src/org/cacert/gigi/output/Form.java b/src/org/cacert/gigi/output/Form.java

index 2ffb873171216efa91148d7798ab3b69e7029638..dd244d749afc36077bc49e55b5813268b17ddf4c 100644 (file)
--- a/src/org/cacert/gigi/output/Form.java
+++ b/src/org/cacert/gigi/output/Form.java
@@ -1,5 +1,6 @@
  package org.cacert.gigi.output;
  
+import java.io.IOException;
  import java.io.PrintWriter;
  import java.util.Map;
  
@@ -45,29 +46,23 @@ public abstract class Form implements Outputable {
                 return csrf;
         }
  
-       protected void checkCSRF(HttpServletRequest req) {
-               if (!csrf.equals(req.getParameter(CSRF_FIELD))) {
-                       throw new CSRFError();
-               }
-       }
-
-       public static <T extends Form> T getForm(HttpServletRequest req, Class<T> target) {
+       public static <T extends Form> T getForm(HttpServletRequest req, Class<T> target) throws CSRFException {
                 String csrf = req.getParameter(CSRF_FIELD);
                 if (csrf == null) {
-                       throw new CSRFError();
+                       throw new CSRFException();
                 }
                 HttpSession hs = req.getSession();
                 if (hs == null) {
-                       throw new CSRFError();
+                       throw new CSRFException();
                 }
                 Form f = (Form) hs.getAttribute("form/" + target.getName() + "/" + csrf);
                 if (f == null) {
-                       throw new CSRFError();
+                       throw new CSRFException();
                 }
                 return (T) f;
         }
  
-       public static class CSRFError extends Error {
+       public static class CSRFException extends IOException {
  
         }
  }
diff --git a/src/org/cacert/gigi/pages/wot/AssuranceForm.java b/src/org/cacert/gigi/pages/wot/AssuranceForm.java

index 4f60352260ae927764974612f2287097ba05ee54..e1c36886c9dac5641001d09ede433b169b9e6534 100644 (file)
--- a/src/org/cacert/gigi/pages/wot/AssuranceForm.java
+++ b/src/org/cacert/gigi/pages/wot/AssuranceForm.java
@@ -48,8 +48,6 @@ public class AssuranceForm extends Form {
  
         @Override
         public boolean submit(PrintWriter out, HttpServletRequest req) {
-               checkCSRF(req);
-
                 out.println("<div class='formError'>");
                 boolean failed = false;
author	Felix Dörre <felix@dogcraft.de>
	Thu, 17 Jul 2014 21:58:54 +0000 (23:58 +0200)
committer	Felix Dörre <felix@dogcraft.de>
	Thu, 17 Jul 2014 21:58:54 +0000 (23:58 +0200)
src/org/cacert/gigi/Gigi.java		patch \| blob \| history
src/org/cacert/gigi/output/Form.java		patch \| blob \| history
src/org/cacert/gigi/pages/wot/AssuranceForm.java		patch \| blob \| history