Enforce Output of CSRF token.
authorFelix Dörre <felix@dogcraft.de>
Fri, 4 Jul 2014 23:27:17 +0000 (01:27 +0200)
committerFelix Dörre <felix@dogcraft.de>
Fri, 4 Jul 2014 23:28:51 +0000 (01:28 +0200)
src/org/cacert/gigi/output/Form.java
src/org/cacert/gigi/pages/main/Signup.java
src/org/cacert/gigi/pages/main/Signup.templ
src/org/cacert/gigi/pages/wot/AssuranceForm.java
src/org/cacert/gigi/pages/wot/AssureeSearch.templ

index 9a27127c65e1c82b69f7ebb1e0103e76f3707b70..b86b6dcb7ea62d5f9301ee87b177eb2b3aa58339 100644 (file)
@@ -1,14 +1,34 @@
 package org.cacert.gigi.output;
 
 import java.io.PrintWriter;
+import java.util.Map;
 
 import javax.servlet.ServletRequest;
 import javax.servlet.http.HttpServletRequest;
 
+import org.cacert.gigi.Language;
 import org.cacert.gigi.pages.Page;
+import org.cacert.gigi.util.RandomToken;
 
 public abstract class Form implements Outputable {
+       String csrf;
+       public Form() {
+               csrf = RandomToken.generateToken(32);
+       }
+
        public abstract boolean submit(PrintWriter out, HttpServletRequest req);
+       @Override
+       public final void output(PrintWriter out, Language l,
+                       Map<String, Object> vars) {
+               out.println("<form method='POST' autocomplete='off'>");
+               outputContent(out, l, vars);
+               out.println("<input type='csrf' value='");
+               out.print(getCSRFToken());
+               out.println("'></form>");
+       }
+
+       public abstract void outputContent(PrintWriter out, Language l,
+                       Map<String, Object> vars);
 
        protected void outputError(PrintWriter out, ServletRequest req, String text) {
                out.print("<div>");
@@ -16,4 +36,8 @@ public abstract class Form implements Outputable {
                out.println("</div>");
        }
 
+       public String getCSRFToken() {
+               return csrf;
+       }
+
 }
index 2aa0a5b6050e7ec1fdf7c8083cf1e4693e5bae7b..bd4037a1d5c8e9fa18ecfc2418ef789de2b97291 100644 (file)
@@ -47,7 +47,8 @@ public class Signup extends Form {
        }
        DateSelector myDoB = new DateSelector("day", "month", "year");
 
-       public void output(PrintWriter out, Language l,
+       @Override
+       public void outputContent(PrintWriter out, Language l,
                        Map<String, Object> outerVars) {
                HashMap<String, Object> vars = new HashMap<String, Object>();
                vars.put("fname", HTMLEncoder.encodeHTML(buildup.getFname()));
index 631215e313ac4737b07a03711b6d10112aa15812..2cb5ade4c4a5a6df4a3027845fb5b7f470982b7d 100644 (file)
@@ -1,4 +1,3 @@
-<form method="post" action="/register" autocomplete="off">
 <table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper" width="400">
   <tr>
     <td colspan="3" class="title"><?=_My Details?></td>
@@ -80,4 +79,3 @@
   </tr>
 
 </table>
-</form>
index b3546fb9a54f330dce38c771688e7db2388cf4d2..5819eb4d8b508a40e3c27b7aca9186cecc4df705 100644 (file)
@@ -32,7 +32,8 @@ public class AssuranceForm extends Form {
        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
 
        @Override
-       public void output(PrintWriter out, Language l, Map<String, Object> vars) {
+       public void outputContent(PrintWriter out, Language l,
+                       Map<String, Object> vars) {
                HashMap<String, Object> res = new HashMap<String, Object>();
                res.putAll(vars);
                res.put("name", assuree.getName());
index cd1cb28bc0c9e2cac08f8cab2d5574b9ffb9cf9a..e8fa37c2e2a0a70803c3011a1ffab4d805902bd4 100644 (file)
@@ -1,4 +1,3 @@
-<form method="POST">
 <table class="wrapper" width="300">
   <tr>
     <td colspan="2" class="title"><?=_Assure Someone?></td>
@@ -16,4 +15,3 @@
     <td class="DataTD" colspan="2"><input type="submit" name="process" value="<?=_Next?>"></td>
   </tr>
 </table>
-</form>