From 0c19a843c23f61cf32f555355a9fa1baf9c8f8f1 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Thu, 10 Jul 2014 01:21:07 +0200 Subject: [PATCH] Fix test for csrf. --- src/org/cacert/gigi/Gigi.java | 7 +++++++ src/org/cacert/gigi/output/Form.java | 3 +++ .../cacert/gigi/pages/main/RegisterPage.java | 8 ++++++-- .../org/cacert/gigi/testUtils/ManagedTest.java | 17 ++++++++++++----- 4 files changed, 28 insertions(+), 7 deletions(-) diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java index a0f8671a..c49cdcbb 100644 --- a/src/org/cacert/gigi/Gigi.java +++ b/src/org/cacert/gigi/Gigi.java @@ -20,6 +20,7 @@ import org.cacert.gigi.output.Menu; import org.cacert.gigi.output.MenuItem; import org.cacert.gigi.output.Outputable; import org.cacert.gigi.output.Template; +import org.cacert.gigi.output.Form.CSRFError; import org.cacert.gigi.pages.LoginPage; import org.cacert.gigi.pages.MainPage; import org.cacert.gigi.pages.Page; @@ -113,6 +114,12 @@ public class Gigi extends HttpServlet { } } catch (IOException e) { e.printStackTrace(); + } catch (CSRFError err) { + try { + resp.sendError(500, "CSRF invalid"); + } catch (IOException e) { + e.printStackTrace(); + } } } diff --git a/src/org/cacert/gigi/output/Form.java b/src/org/cacert/gigi/output/Form.java index 16440cc3..11209ca5 100644 --- a/src/org/cacert/gigi/output/Form.java +++ b/src/org/cacert/gigi/output/Form.java @@ -60,6 +60,9 @@ public abstract class Form implements Outputable { throw new CSRFError(); } Form f = (Form) hs.getAttribute("form/" + target.getName() + "/" + csrf); + if (f == null) { + throw new CSRFError(); + } return (T) f; } diff --git a/src/org/cacert/gigi/pages/main/RegisterPage.java b/src/org/cacert/gigi/pages/main/RegisterPage.java index b80429fb..e243c287 100644 --- a/src/org/cacert/gigi/pages/main/RegisterPage.java +++ b/src/org/cacert/gigi/pages/main/RegisterPage.java @@ -22,10 +22,14 @@ public class RegisterPage extends Page { @Override public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { + Signup s = new Signup(req); + outputGet(req, resp, s); + } + + private void outputGet(HttpServletRequest req, HttpServletResponse resp, Signup s) throws IOException { PrintWriter out = resp.getWriter(); HashMap vars = new HashMap(); getDefaultTemplate().output(out, getLanguage(req), vars); - Signup s = new Signup(req); s.output(out, getLanguage(req), vars); } @@ -45,7 +49,7 @@ public class RegisterPage extends Page { return; } - super.doPost(req, resp); + outputGet(req, resp, s); } @Override diff --git a/tests/org/cacert/gigi/testUtils/ManagedTest.java b/tests/org/cacert/gigi/testUtils/ManagedTest.java index 880f6006..2d6631ef 100644 --- a/tests/org/cacert/gigi/testUtils/ManagedTest.java +++ b/tests/org/cacert/gigi/testUtils/ManagedTest.java @@ -151,10 +151,17 @@ public class ManagedTest { } public String runRegister(String param) throws IOException { - HttpURLConnection uc = (HttpURLConnection) new URL("https://" + getServerName() + registerService) - .openConnection(); + URL regist = new URL("https://" + getServerName() + registerService); + HttpURLConnection uc = (HttpURLConnection) regist.openConnection(); + HttpURLConnection csrfConn = (HttpURLConnection) regist.openConnection(); + + String headerField = csrfConn.getHeaderField("Set-Cookie"); + headerField = headerField.substring(0, headerField.indexOf(';')); + + String csrf = getCSRF(csrfConn); + uc.addRequestProperty("Cookie", headerField); uc.setDoOutput(true); - uc.getOutputStream().write(param.getBytes()); + uc.getOutputStream().write((param + "&csrf=" + csrf).getBytes()); String d = IOUtils.readURL(uc); return d; } @@ -261,10 +268,10 @@ public class ManagedTest { public String getCSRF(URLConnection u) throws IOException { String content = IOUtils.readURL(u); - Pattern p = Pattern.compile(""); + Pattern p = Pattern.compile(""); Matcher m = p.matcher(content); if (!m.find()) { - throw new Error("New CSRF Token"); + throw new Error("No CSRF Token"); } return m.group(1); } -- 2.39.2