summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArtur Signell <artur.signell@itmill.com>2009-06-29 14:49:54 +0000
committerArtur Signell <artur.signell@itmill.com>2009-06-29 14:49:54 +0000
commit94b13d6ddaf92d0abd9c8a7883adca95d9192fd5 (patch)
tree5307ba5a72b96400d38bfa067fb84be79ccf01f0
parent42af2df434d96a993e90a46e08bbaa883f5c3b3b (diff)
downloadvaadin-framework-94b13d6ddaf92d0abd9c8a7883adca95d9192fd5.tar.gz
vaadin-framework-94b13d6ddaf92d0abd9c8a7883adca95d9192fd5.zip
Fix for #3060 - Warn if cross site scripting prevention is turned off
svn changeset:8268/svn branch:6.0
Diffstat
-rw-r--r--src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java17
1 files changed, 16 insertions, 1 deletions
diff --git a/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java b/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java
index a07d1114a6..ff03e8d1a5 100644
--- a/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java
+++ b/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java
@@ -118,6 +118,8 @@ public abstract class AbstractApplicationServlet extends HttpServlet {
private static final String NOT_PRODUCTION_MODE_INFO = "=================================================================\nVaadin is running in DEBUG MODE.\nAdd productionMode=true to web.xml to disable debug features.\nTo show debug window, add ?debug to your application URL.\n=================================================================";
+ private static final String WARNING_XSRF_PROTECTION_DISABLED = "===========================================================\nWARNING: Cross-site request forgery protection is disabled!\n===========================================================";
+
private boolean productionMode = false;
private static final String URL_PARAMETER_RESTART_APPLICATION = "restartApplication";
@@ -127,6 +129,7 @@ public abstract class AbstractApplicationServlet extends HttpServlet {
private static final String SERVLET_PARAMETER_DEBUG = "Debug";
private static final String SERVLET_PARAMETER_PRODUCTION_MODE = "productionMode";
+ static final String SERVLET_PARAMETER_DISABLE_XSRF_PROTECTION = "disable-xsrf-protection";
// Configurable parameter names
private static final String PARAMETER_VAADIN_RESOURCES = "Resources";
@@ -190,8 +193,20 @@ public abstract class AbstractApplicationServlet extends HttpServlet {
applicationProperties.setProperty(name, context
.getInitParameter(name));
}
-
checkProductionMode();
+ checkCrossSiteProtection();
+ }
+
+ private void checkCrossSiteProtection() {
+ if (getApplicationOrSystemProperty(
+ SERVLET_PARAMETER_DISABLE_XSRF_PROTECTION, "false").equals(
+ "true")) {
+ /*
+ * Print an information/warning message about running with xsrf
+ * protection disabled
+ */
+ System.err.println(WARNING_XSRF_PROTECTION_DISABLED);
+ }
}
private void checkProductionMode() {
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-12 09:39:35 +0000
n class="cm"><!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <!-- $Id$ --> <testcase> <info> <p> This test checks that no NPE is thrown when a list item is split alongside a IPD change. </p> </info> <fo> <fo:root xmlns:fo="http://www.w3.org/1999/XSL/Format"> <fo:layout-master-set> <fo:simple-page-master margin-left="0.675in" master-name="Page"> <fo:region-body region-name="Body"/> </fo:simple-page-master> <fo:simple-page-master margin-left="0.65in" master-name="PageRest"> <fo:region-body region-name="Body"/> </fo:simple-page-master> <fo:page-sequence-master master-name="PageSequence"> <fo:repeatable-page-master-alternatives> <fo:conditional-page-master-reference page-position="first" master-reference="Page"/> <fo:conditional-page-master-reference page-position="rest" master-reference="PageRest"/> </fo:repeatable-page-master-alternatives> </fo:page-sequence-master> </fo:layout-master-set> <fo:page-sequence format="1" id="TH_LastPage" master-reference="PageSequence"> <fo:flow flow-name="Body"> <fo:block> <fo:list-block> <fo:list-item> <fo:list-item-label> <fo:block/> </fo:list-item-label> <fo:list-item-body> <fo:block>a</fo:block> <fo:block break-before="page">b</fo:block> </fo:list-item-body> </fo:list-item> </fo:list-block> </fo:block> </fo:flow> </fo:page-sequence> </fo:root> </fo> <checks> <eval expected="a" xpath="//pageViewport[1]/page/regionViewport/regionBody/mainReference"/> <eval expected="b" xpath="//pageViewport[2]/page/regionViewport/regionBody/mainReference"/> </checks> </testcase>
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-12 09:39:35 +0000