Rewrite client request into JSON (#9269, #11257)

Change-Id: I0001d54f890ad8e5787d1f6c076d1f1d75dd32d2

3 files changed, 29 insertions, 66 deletions

diff --git a/client/src/com/vaadin/client/ApplicationConnection.java b/client/src/com/vaadin/client/ApplicationConnection.java
index 2865e04757..364ce4521d 100644
--- a/client/src/com/vaadin/client/ApplicationConnection.java
+++ b/client/src/com/vaadin/client/ApplicationConnection.java
@@ -90,6 +90,7 @@ import com.vaadin.client.ui.ui.UIConnector;
 import com.vaadin.client.ui.window.WindowConnector;
 import com.vaadin.shared.AbstractComponentState;
 import com.vaadin.shared.ApplicationConstants;
+import com.vaadin.shared.JsonConstants;
 import com.vaadin.shared.Version;
 import com.vaadin.shared.communication.LegacyChangeVariablesInvocation;
 import com.vaadin.shared.communication.MethodInvocation;
@@ -136,10 +137,6 @@ public class ApplicationConnection {
 
     public static final String ERROR_CLASSNAME_EXT = "-error";
 
-    public static final char VAR_BURST_SEPARATOR = '\u001d';
-
-    public static final char VAR_ESCAPE_CHARACTER = '\u001b';
-
     /**
      * A string that, if found in a non-JSON response to a UIDL request, will
      * cause the browser to refresh the page. If followed by a colon, optional
@@ -675,7 +672,7 @@ public class ApplicationConnection {
     }-*/;
 
     protected void repaintAll() {
-        makeUidlRequest("", getRepaintAllParameters());
+        makeUidlRequest(new JSONArray(), getRepaintAllParameters());
     }
 
     /**
@@ -706,20 +703,23 @@ public class ApplicationConnection {
     /**
      * Makes an UIDL request to the server.
      * 
-     * @param requestData
-     *            Data that is passed to the server.
+     * @param reqInvocations
+     *            Data containing RPC invocations and all related information.
      * @param extraParams
      *            Parameters that are added as GET parameters to the url.
      *            Contains key=value pairs joined by & characters or is empty if
      *            no parameters should be added. Should not start with any
      *            special character.
      */
-    protected void makeUidlRequest(final String requestData,
+    protected void makeUidlRequest(final JSONArray reqInvocations,
             final String extraParams) {
         startRequest();
-        // Security: double cookie submission pattern
-        final String payload = getCsrfToken() + VAR_BURST_SEPARATOR
-                + requestData;
+
+        JSONObject payload = new JSONObject();
+        payload.put(ApplicationConstants.CSRF_TOKEN, new JSONString(
+                getCsrfToken()));
+        payload.put(ApplicationConstants.RPC_INVOCATIONS, reqInvocations);
+
         VConsole.log("Making UIDL Request with params: " + payload);
         String uri = translateVaadinUri(ApplicationConstants.APP_PROTOCOL_PREFIX
                 + ApplicationConstants.UIDL_PATH + '/');
@@ -743,7 +743,7 @@ public class ApplicationConnection {
      * @param payload
      *            The contents of the request to send
      */
-    protected void doUidlRequest(final String uri, final String payload) {
+    protected void doUidlRequest(final String uri, final JSONObject payload) {
         RequestCallback requestCallback = new RequestCallback() {
             @Override
             public void onError(Request request, Throwable exception) {
@@ -906,14 +906,14 @@ public class ApplicationConnection {
      * @throws RequestException
      *             if the request could not be sent
      */
-    protected void doAjaxRequest(String uri, String payload,
+    protected void doAjaxRequest(String uri, JSONObject payload,
             RequestCallback requestCallback) throws RequestException {
         RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, uri);
         // TODO enable timeout
         // rb.setTimeoutMillis(timeoutMillis);
         // TODO this should be configurable
-        rb.setHeader("Content-Type", "text/plain;charset=utf-8");
-        rb.setRequestData(payload);
+        rb.setHeader("Content-Type", JsonConstants.JSON_CONTENT_TYPE);
+        rb.setRequestData(payload.toString());
         rb.setCallback(requestCallback);
 
         final Request request = rb.send();
@@ -2468,15 +2468,13 @@ public class ApplicationConnection {
      */
     private void buildAndSendVariableBurst(
             LinkedHashMap<String, MethodInvocation> pendingInvocations) {
-        final StringBuffer req = new StringBuffer();
 
-        while (!pendingInvocations.isEmpty()) {
+        JSONArray reqJson = new JSONArray();
+        if (!pendingInvocations.isEmpty()) {
             if (ApplicationConfiguration.isDebugMode()) {
                 Util.logVariableBurst(this, pendingInvocations.values());
             }
 
-            JSONArray reqJson = new JSONArray();
-
             for (MethodInvocation invocation : pendingInvocations.values()) {
                 JSONArray invocationJson = new JSONArray();
                 invocationJson.set(0,
@@ -2515,9 +2513,6 @@ public class ApplicationConnection {
                 reqJson.set(reqJson.size(), invocationJson);
             }
 
-            // escape burst separators (if any)
-            req.append(escapeBurstContents(reqJson.toString()));
-
             pendingInvocations.clear();
             // Keep tag string short
             lastInvocationTag = 0;
@@ -2541,7 +2536,7 @@ public class ApplicationConnection {
 
             getConfiguration().setWidgetsetVersionSent();
         }
-        makeUidlRequest(req.toString(), extraParams);
+        makeUidlRequest(reqJson, extraParams);
     }
 
     private boolean isJavascriptRpc(MethodInvocation invocation) {
@@ -2785,35 +2780,6 @@ public class ApplicationConnection {
     }
 
     /**
-     * Encode burst separator characters in a String for transport over the
-     * network. This protects from separator injection attacks.
-     * 
-     * @param value
-     *            to encode
-     * @return encoded value
-     */
-    protected String escapeBurstContents(String value) {
-        final StringBuilder result = new StringBuilder();
-        for (int i = 0; i < value.length(); ++i) {
-            char character = value.charAt(i);
-            switch (character) {
-            case VAR_ESCAPE_CHARACTER:
-                // fall-through - escape character is duplicated
-            case VAR_BURST_SEPARATOR:
-                result.append(VAR_ESCAPE_CHARACTER);
-                // encode as letters for easier reading
-                result.append(((char) (character + 0x30)));
-                break;
-            default:
-                // the char is not a special one - add it to the result as is
-                result.append(character);
-                break;
-            }
-        }
-        return result.toString();
-    }
-
-    /**
      * Does absolutely nothing. Replaced by {@link LayoutManager}.
      * 
      * @param container
diff --git a/client/src/com/vaadin/client/communication/AtmospherePushConnection.java b/client/src/com/vaadin/client/communication/AtmospherePushConnection.java
index 20ccd45173..94ea0aaab2 100644
--- a/client/src/com/vaadin/client/communication/AtmospherePushConnection.java
+++ b/client/src/com/vaadin/client/communication/AtmospherePushConnection.java
@@ -20,6 +20,7 @@ import java.util.ArrayList;
 
 import com.google.gwt.core.client.JavaScriptObject;
 import com.google.gwt.core.client.Scheduler;
+import com.google.gwt.json.client.JSONObject;
 import com.google.gwt.user.client.Command;
 import com.vaadin.client.ApplicationConnection;
 import com.vaadin.client.ApplicationConnection.CommunicationErrorHandler;
@@ -109,7 +110,7 @@ public class AtmospherePushConnection implements PushConnection {
 
     private JavaScriptObject socket;
 
-    private ArrayList<String> messageQueue = new ArrayList<String>();
+    private ArrayList<JSONObject> messageQueue = new ArrayList<JSONObject>();
 
     private State state = State.CONNECT_PENDING;
 
@@ -190,14 +191,8 @@ public class AtmospherePushConnection implements PushConnection {
         }
     }
 
-    /*
-     * (non-Javadoc)
-     * 
-     * @see
-     * com.vaadin.client.communication.PushConenction#push(java.lang.String)
-     */
     @Override
-    public void push(String message) {
+    public void push(JSONObject message) {
         switch (state) {
         case CONNECT_PENDING:
             assert isActive();
@@ -209,12 +204,13 @@ public class AtmospherePushConnection implements PushConnection {
             VConsole.log("Sending push message: " + message);
 
             if (transport.equals("websocket")) {
-                FragmentedMessage fragmented = new FragmentedMessage(message);
+                FragmentedMessage fragmented = new FragmentedMessage(
+                        message.toString());
                 while (fragmented.hasNextFragment()) {
                     doPush(socket, fragmented.getNextFragment());
                 }
             } else {
-                doPush(socket, message);
+                doPush(socket, message.toString());
             }
             break;
         case DISCONNECT_PENDING:
@@ -235,7 +231,7 @@ public class AtmospherePushConnection implements PushConnection {
         switch (state) {
         case CONNECT_PENDING:
             state = State.CONNECTED;
-            for (String message : messageQueue) {
+            for (JSONObject message : messageQueue) {
                 push(message);
             }
             messageQueue.clear();
diff --git a/client/src/com/vaadin/client/communication/PushConnection.java b/client/src/com/vaadin/client/communication/PushConnection.java
index a7eba224be..ba79af9d2c 100644
--- a/client/src/com/vaadin/client/communication/PushConnection.java
+++ b/client/src/com/vaadin/client/communication/PushConnection.java
@@ -16,6 +16,7 @@
 
 package com.vaadin.client.communication;
 
+import com.google.gwt.json.client.JSONObject;
 import com.google.gwt.user.client.Command;
 import com.vaadin.client.ApplicationConnection;
 import com.vaadin.client.ApplicationConnection.CommunicationErrorHandler;
@@ -53,14 +54,14 @@ public interface PushConnection {
      * replay those messages in the original order when the connection has been
      * established.
      * 
-     * @param message
-     *            the message to push
+     * @param payload
+     *            the payload to push
      * @throws IllegalStateException
      *             if this connection is not active
      * 
      * @see #isActive()
      */
-    public void push(String message);
+    public void push(JSONObject payload);
 
     /**
      * Checks whether this push connection is in a state where it can push