Repository: wicket Updated Branches: refs/heads/master 6ce7cd19d -> bae94e2d3
WICKET-5944 CSRF prevention does not work with https URLs on the default port Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/bae94e2d Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/bae94e2d Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/bae94e2d Branch: refs/heads/master Commit: bae94e2d330badee94824a199b834639d10d686f Parents: 6ce7cd1 Author: Martijn Dashorst <martijn.dasho...@gmail.com> Authored: Wed Jul 8 13:01:00 2015 +0200 Committer: Martijn Dashorst <martijn.dasho...@gmail.com> Committed: Wed Jul 8 13:01:08 2015 +0200 ---------------------------------------------------------------------- .../CsrfPreventionRequestCycleListener.java | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/wicket/blob/bae94e2d/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java ---------------------------------------------------------------------- diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java index 838863b..73cebee 100644 --- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java +++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java @@ -115,7 +115,8 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList implements IRequestCycleListener { - private static final Logger log = LoggerFactory.getLogger(CsrfPreventionRequestCycleListener.class); + private static final Logger log = LoggerFactory + .getLogger(CsrfPreventionRequestCycleListener.class); /** * The action to perform when a missing or conflicting Origin header is detected. @@ -162,8 +163,8 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList private CsrfAction conflictingOriginAction = CsrfAction.ABORT; /** - * The error code to report when the action to take for a CSRF request is {@link CsrfAction#ABORT}. Default - * {@code 400 BAD REQUEST}. + * The error code to report when the action to take for a CSRF request is + * {@link CsrfAction#ABORT}. Default {@code 400 BAD REQUEST}. */ private int errorCode = javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST; @@ -516,8 +517,11 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList target.append(host); int port = originUri.getPort(); - if (port != -1 && "http".equals(scheme) && port != 80 || "https".equals(scheme) && - port != 443) + boolean portIsSpecified = port != -1; + boolean isAlternateHttpPort = "http".equals(scheme) && port != 80; + boolean isAlternateHttpsPort = "https".equals(scheme) && port != 443; + + if (portIsSpecified && (isAlternateHttpPort || isAlternateHttpsPort)) { target.append(':'); target.append(port); @@ -583,7 +587,8 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList * @param page * the page that is targeted with this request */ - private void whitelistedHandler(HttpServletRequest request, String origin, IRequestablePage page) + private void whitelistedHandler(HttpServletRequest request, String origin, + IRequestablePage page) { onWhitelisted(request, origin, page); if (log.isDebugEnabled()) @@ -640,7 +645,8 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList * @param page * the page that is targeted with this request */ - protected void onMatchingOrigin(HttpServletRequest request, String origin, IRequestablePage page) + protected void onMatchingOrigin(HttpServletRequest request, String origin, + IRequestablePage page) { }