From 70ac38c2e844e293d9815b8703341b94b029977a Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Sat, 5 Jul 2014 01:27:17 +0200 Subject: [PATCH] Enforce Output of CSRF token. --- src/org/cacert/gigi/output/Form.java | 24 +++++++++++++++++++ src/org/cacert/gigi/pages/main/Signup.java | 3 ++- src/org/cacert/gigi/pages/main/Signup.templ | 2 -- .../cacert/gigi/pages/wot/AssuranceForm.java | 3 ++- .../cacert/gigi/pages/wot/AssureeSearch.templ | 2 -- 5 files changed, 28 insertions(+), 6 deletions(-) diff --git a/src/org/cacert/gigi/output/Form.java b/src/org/cacert/gigi/output/Form.java index 9a27127c..b86b6dcb 100644 --- a/src/org/cacert/gigi/output/Form.java +++ b/src/org/cacert/gigi/output/Form.java @@ -1,14 +1,34 @@ package org.cacert.gigi.output; import java.io.PrintWriter; +import java.util.Map; import javax.servlet.ServletRequest; import javax.servlet.http.HttpServletRequest; +import org.cacert.gigi.Language; import org.cacert.gigi.pages.Page; +import org.cacert.gigi.util.RandomToken; public abstract class Form implements Outputable { + String csrf; + public Form() { + csrf = RandomToken.generateToken(32); + } + public abstract boolean submit(PrintWriter out, HttpServletRequest req); + @Override + public final void output(PrintWriter out, Language l, + Map vars) { + out.println("
"); + outputContent(out, l, vars); + out.println("
"); + } + + public abstract void outputContent(PrintWriter out, Language l, + Map vars); protected void outputError(PrintWriter out, ServletRequest req, String text) { out.print("
"); @@ -16,4 +36,8 @@ public abstract class Form implements Outputable { out.println("
"); } + public String getCSRFToken() { + return csrf; + } + } diff --git a/src/org/cacert/gigi/pages/main/Signup.java b/src/org/cacert/gigi/pages/main/Signup.java index 2aa0a5b6..bd4037a1 100644 --- a/src/org/cacert/gigi/pages/main/Signup.java +++ b/src/org/cacert/gigi/pages/main/Signup.java @@ -47,7 +47,8 @@ public class Signup extends Form { } DateSelector myDoB = new DateSelector("day", "month", "year"); - public void output(PrintWriter out, Language l, + @Override + public void outputContent(PrintWriter out, Language l, Map outerVars) { HashMap vars = new HashMap(); vars.put("fname", HTMLEncoder.encodeHTML(buildup.getFname())); diff --git a/src/org/cacert/gigi/pages/main/Signup.templ b/src/org/cacert/gigi/pages/main/Signup.templ index 631215e3..2cb5ade4 100644 --- a/src/org/cacert/gigi/pages/main/Signup.templ +++ b/src/org/cacert/gigi/pages/main/Signup.templ @@ -1,4 +1,3 @@ -
@@ -80,4 +79,3 @@
-
diff --git a/src/org/cacert/gigi/pages/wot/AssuranceForm.java b/src/org/cacert/gigi/pages/wot/AssuranceForm.java index b3546fb9..5819eb4d 100644 --- a/src/org/cacert/gigi/pages/wot/AssuranceForm.java +++ b/src/org/cacert/gigi/pages/wot/AssuranceForm.java @@ -32,7 +32,8 @@ public class AssuranceForm extends Form { SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd"); @Override - public void output(PrintWriter out, Language l, Map vars) { + public void outputContent(PrintWriter out, Language l, + Map vars) { HashMap res = new HashMap(); res.putAll(vars); res.put("name", assuree.getName()); diff --git a/src/org/cacert/gigi/pages/wot/AssureeSearch.templ b/src/org/cacert/gigi/pages/wot/AssureeSearch.templ index cd1cb28b..e8fa37c2 100644 --- a/src/org/cacert/gigi/pages/wot/AssureeSearch.templ +++ b/src/org/cacert/gigi/pages/wot/AssureeSearch.templ @@ -1,4 +1,3 @@ -
@@ -16,4 +15,3 @@
-
-- 2.39.2