Uploaded image for project: 'Apache Roller'
  1. Apache Roller
  2. ROL-2058

No salt renewal on POST request

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 5.1.1
    • 5.1.2
    • None
    • WildFly 8.2.0.Final

    Description

      Roller continues using previous salt value which sent from client as POST parameter. this leads fixing of salt value in the form element of html, and brings ServletException("Security Violation") by ValidateSaltFilter at some use cases (e.g. long-term editing over 60 minutes) unexpectedly.

      Seems to that the cause is existence of org.apache.roller.weblogger.ui.struts2.util.UIAction#setSalt(String) method. this overwrites salt with previous value which sent by client as POST parameter. it's unnecessary behavior because new salt value comes through preceding invocation of UIAction#setRequest(Map).

      Original discussion in the mailing list:
      http://markmail.org/search/?q=list%3Aorg.apache.roller.user#query:list%3Aorg.apache.roller.user+page:1+mid:tnqn4qjuwmwun4oh+state:results

      Attachments

        1. ROL-2058.patch
          0.7 kB
          Kohei Nozaki

        Activity

          People

            djohnson David Johnson
            xkylex Kohei Nozaki
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: