> > String pass = request.getParam("formPassword");
> > - if (pass == null || (pass.length() ==
> 0) || !pass.equals(pr.getNode().clientCore.formPassword))
> > - return Errors.makeErrorPage(this, "Buh!
> Invalid form password");
> > + if(pass != null) { /* FIXME: is this
> correct? what if the client just
> does not specify the password so that its null? */
> > + if ((pass.length() ==
> 0) || !pass.equals(pr.getNode().clientCore.formPassword))
> > + return
> Errors.makeErrorPage(this, "Buh! Invalid form password");
> > + }
>
> What was wrong with the old code? The new code definitely
> lets the client through if they don't specify a password.
> >
> > String page =
> request.getPath().substring(PLUGIN_URI.length());
> > if ((page.length() < 1) || ("/".equals(page)))
>
The old code was actually new code. It was (pass != null) before,
I wondered how this is supposed to password protect, but then when
changing it to the code which looks like old code in this patch, it
always said "Invalid form password" so I changed it back to
(pass != null).
