[gwt-contrib] [google-web-toolkit commit] r5559 - Add additional RPC sanity checks.

Mon, 15 Jun 2009 15:13:25 -0700 

Author: b...@google.com
Date: Mon Jun 15 14:00:16 2009
New Revision: 5559

Modified:
    trunk/user/src/com/google/gwt/user/server/rpc/RPC.java
    trunk/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java
     
trunk/user/src/com/google/gwt/user/server/rpc/impl/ServerSerializationStreamReader.java

Log:
Add additional RPC sanity checks.

Patch by: meder
Review by: bobv

Modified: trunk/user/src/com/google/gwt/user/server/rpc/RPC.java
==============================================================================
--- trunk/user/src/com/google/gwt/user/server/rpc/RPC.java      (original)
+++ trunk/user/src/com/google/gwt/user/server/rpc/RPC.java      Mon Jun 15  
14:00:16 2009
@@ -269,6 +269,9 @@
        String serviceMethodName = streamReader.readString();

        int paramCount = streamReader.readInt();
+      if (paramCount > streamReader.getNumberOfTokens()) {
+        throw new IncompatibleRemoteServiceException("Invalid number of  
parameters");
+      }
        Class<?>[] parameterTypes = new Class[paramCount];

        for (int i = 0; i < parameterTypes.length; i++) {

Modified:  
trunk/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java
==============================================================================
--- trunk/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java     
 
(original)
+++ trunk/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java     
 
Mon Jun 15 14:00:16 2009
@@ -177,6 +177,9 @@
     */
    public String processCall(String payload) throws SerializationException {
      try {
+      if (getPermutationStrongName() == null) {
+        throw new SecurityException("Blocked request without GWT  
permutation header(XSRF attack?)");
+      }
        RPCRequest rpcRequest = RPC.decodeRequest(payload, this.getClass(),  
this);
        onAfterRequestDeserialized(rpcRequest);
        return RPC.invokeAndEncodeResponse(this, rpcRequest.getMethod(),

Modified:  
trunk/user/src/com/google/gwt/user/server/rpc/impl/ServerSerializationStreamReader.java
==============================================================================
---  
trunk/user/src/com/google/gwt/user/server/rpc/impl/ServerSerializationStreamReader.java
  
(original)
+++  
trunk/user/src/com/google/gwt/user/server/rpc/impl/ServerSerializationStreamReader.java
  
Mon Jun 15 14:00:16 2009
@@ -373,6 +373,10 @@
      }
    }

+  public int getNumberOfTokens() {
+    return tokenList.size();
+  }
+
    public SerializationPolicy getSerializationPolicy() {
      return serializationPolicy;
    }

--~--~---------~--~----~------------~-------~--~----~
http://groups.google.com/group/Google-Web-Toolkit-Contributors
-~----------~----~----~----~------~----~------~--~---

Reply via email to