From 94b13d6ddaf92d0abd9c8a7883adca95d9192fd5 Mon Sep 17 00:00:00 2001
From: Artur Signell <artur.signell@itmill.com>
Date: Mon, 29 Jun 2009 14:49:54 +0000
Subject: Fix for #3060 - Warn if cross site scripting prevention is turned off

svn changeset:8268/svn branch:6.0
---
 .../terminal/gwt/server/AbstractApplicationServlet.java | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java b/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java
index a07d1114a6..ff03e8d1a5 100644
--- a/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java
+++ b/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java
@@ -118,6 +118,8 @@ public abstract class AbstractApplicationServlet extends HttpServlet {
 
     private static final String NOT_PRODUCTION_MODE_INFO = "=================================================================\nVaadin is running in DEBUG MODE.\nAdd productionMode=true to web.xml to disable debug features.\nTo show debug window, add ?debug to your application URL.\n=================================================================";
 
+    private static final String WARNING_XSRF_PROTECTION_DISABLED = "===========================================================\nWARNING: Cross-site request forgery protection is disabled!\n===========================================================";
+
     private boolean productionMode = false;
 
     private static final String URL_PARAMETER_RESTART_APPLICATION = "restartApplication";
@@ -127,6 +129,7 @@ public abstract class AbstractApplicationServlet extends HttpServlet {
 
     private static final String SERVLET_PARAMETER_DEBUG = "Debug";
     private static final String SERVLET_PARAMETER_PRODUCTION_MODE = "productionMode";
+    static final String SERVLET_PARAMETER_DISABLE_XSRF_PROTECTION = "disable-xsrf-protection";
 
     // Configurable parameter names
     private static final String PARAMETER_VAADIN_RESOURCES = "Resources";
@@ -190,8 +193,20 @@ public abstract class AbstractApplicationServlet extends HttpServlet {
             applicationProperties.setProperty(name, context
                     .getInitParameter(name));
         }
-
         checkProductionMode();
+        checkCrossSiteProtection();
+    }
+
+    private void checkCrossSiteProtection() {
+        if (getApplicationOrSystemProperty(
+                SERVLET_PARAMETER_DISABLE_XSRF_PROTECTION, "false").equals(
+                "true")) {
+            /*
+             * Print an information/warning message about running with xsrf
+             * protection disabled
+             */
+            System.err.println(WARNING_XSRF_PROTECTION_DISABLED);
+        }
     }
 
     private void checkProductionMode() {
-- 
cgit v1.2.3