[
https://issues.apache.org/jira/browse/WW-5083?focusedWorklogId=464045&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-464045
]
ASF GitHub Bot logged work on WW-5083:
--------------------------------------
Author: ASF GitHub Bot
Created on: 29/Jul/20 07:56
Start Date: 29/Jul/20 07:56
Worklog Time Spent: 10m
Work Description: yasserzamani commented on a change in pull request #428:
URL: https://github.com/apache/struts/pull/428#discussion_r462023263
##########
File path:
core/src/main/java/org/apache/struts2/interceptor/FetchMetadataInterceptor.java
##########
@@ -41,17 +42,19 @@
* filter the requests allowed to be processed.
*
* @see <a
href="https://web.dev/fetch-metadata/";>https://web.dev/fetch-metadata/</a>
+ * @see <a
href="https://www.w3.org/TR/fetch-metadata/";>https://www.w3.org/TR/fetch-metadata/</a>
**/
public class FetchMetadataInterceptor extends AbstractInterceptor {
- private static final Logger logger =
LogManager.getLogger(FetchMetadataInterceptor.class);
- private static final String VARY_HEADER_VALUE = String.format("%s,%s,%s",
SEC_FETCH_DEST_HEADER, SEC_FETCH_SITE_HEADER, SEC_FETCH_MODE_HEADER);
+ private static final Logger LOG =
LogManager.getLogger(FetchMetadataInterceptor.class);
+ private static final String VARY_HEADER_VALUE =
String.format("%s,%s,%s,%s", SEC_FETCH_DEST_HEADER, SEC_FETCH_MODE_HEADER,
SEC_FETCH_SITE_HEADER, SEC_FETCH_USER_HEADER);
private static final String SC_FORBIDDEN =
String.valueOf(HttpServletResponse.SC_FORBIDDEN);
private final Set<String> exemptedPaths = new HashSet<>();
private final ResourceIsolationPolicy resourceIsolationPolicy = new
StrutsResourceIsolationPolicy();
- public void setExemptedPaths(String paths){
+ @Inject (required=false)
Review comment:
will be nice to have a test for injection
##########
File path:
core/src/main/java/org/apache/struts2/interceptor/FetchMetadataInterceptor.java
##########
@@ -73,15 +76,31 @@ public String intercept(ActionInvocation invocation) throws
Exception {
return invocation.invoke();
}
- logger.atDebug().log(
- "Fetch metadata rejected cross-origin request to %s",
- contextPath
- );
+ LOG.debug("Fetch metadata rejected cross-origin request to [{}]",
contextPath);
Review comment:
To improve, I think `.warn` is better.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 464045)
Time Spent: 3h 50m (was: 3h 40m)
> Fetch Metadata support
> ----------------------
>
> Key: WW-5083
> URL: https://issues.apache.org/jira/browse/WW-5083
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Reporter: Santiago Diaz
> Priority: Major
> Fix For: 2.6
>
> Time Spent: 3h 50m
> Remaining Estimate: 0h
>
> We'd like to add built-in Fetch Metadata support to Struts2 to provide a
> simple security mechanism that developers can use to protect against
> Cross-Site Request Forgery vulnerabilities
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
