[ROL-2058] No salt renewal on POST request - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 5.1.1
Fix Version/s: 5.1.2
Component/s: User Interface - General
Labels:
None
Environment:
WildFly 8.2.0.Final

Description

Roller continues using previous salt value which sent from client as POST parameter. this leads fixing of salt value in the form element of html, and brings ServletException("Security Violation") by ValidateSaltFilter at some use cases (e.g. long-term editing over 60 minutes) unexpectedly.

Seems to that the cause is existence of org.apache.roller.weblogger.ui.struts2.util.UIAction#setSalt(String) method. this overwrites salt with previous value which sent by client as POST parameter. it's unnecessary behavior because new salt value comes through preceding invocation of UIAction#setRequest(Map).

Original discussion in the mailing list:
http://markmail.org/search/?q=list%3Aorg.apache.roller.user#query:list%3Aorg.apache.roller.user+page:1+mid:tnqn4qjuwmwun4oh+state:results

Attachments

ROL-2058.patch
10/Jan/15 23:40
0.7 kB
Kohei Nozaki

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: David Johnson

Reporter:: Kohei Nozaki

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 10/Jan/15 23:38

Updated:: 30/Mar/15 12:54

Resolved:: 01/Mar/15 14:50

Agile

View on Board

No salt renewal on POST request

Details

Description

Attachments

Attachments

Activity

People

Dates

Agile

Slack

Issue deployment