Apache
/
activemq
mirror of https://github.com/apache/activemq.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix for: https://issues.apache.org/jira/browse/AMQ-2740 

Fix for NPE indicate possible CSRF attack instead.

git-svn-id: https://svn.apache.org/repos/asf/activemq/trunk@1418061 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Timothy A. Bish 2012-12-06 20:37:04 +00:00
parent 4321ae065d
commit 67252fe60d
1 changed files with 18 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
activemq-web-console/src/main/java/org/apache/activemq/web/handler/BindingBeanNameUrlHandlerMapping.java
View File

@ -17,7 +17,6 @@
package org.apache.activemq.web.handler;
import java.util.Arrays;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
@ -25,8 +24,8 @@ import org.apache.activemq.web.DestinationFacade;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.ServletRequestDataBinder;
import org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping;
import org.springframework.web.servlet.HandlerExecutionChain;
import org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping;
/**
*
@ -34,6 +33,7 @@ import org.springframework.web.servlet.HandlerExecutionChain;
public class BindingBeanNameUrlHandlerMapping extends BeanNameUrlHandlerMapping {
private static final transient Logger LOG = LoggerFactory.getLogger(BindingBeanNameUrlHandlerMapping.class);
@Override
protected Object getHandlerInternal(HttpServletRequest request) throws Exception {
Object object = super.getHandlerInternal(request);
@ -54,12 +54,12 @@ public class BindingBeanNameUrlHandlerMapping extends BeanNameUrlHandlerMapping
throw new UnsupportedOperationException("Unsupported method " + request.getMethod() + " for path " + request.getRequestURI());
}
// check the 'secret'
if (!request.getSession().getAttribute("secret").equals(request.getParameter("secret"))) {
if (request.getSession().getAttribute("secret") == null ||
!request.getSession().getAttribute("secret").equals(request.getParameter("secret"))) {
throw new UnsupportedOperationException("Possible CSRF attack");
}
}
ServletRequestDataBinder binder = new ServletRequestDataBinder(object, "request");
try {
binder.bind(request);