Archives/Athou_commafeed
1
0
Fork 1
mirror of https://github.com/Athou/commafeed.git synced 2026-03-21 21:37:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

security fix, reuse session instead of passing the user to the state

Browse Source
This commit is contained in:
Athou
2013-04-15 10:29:12 +02:00
parent 48a53a188b
commit c52fdf9f9f
2 changed files with 2 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/main/java/com/commafeed/frontend/pages/GoogleImportCallbackPage.java
View File

@@ -14,6 +14,7 @@ import com.commafeed.backend.dao.UserDAO;
import com.commafeed.backend.feeds.OPMLImporter; import com.commafeed.backend.feeds.OPMLImporter;
import com.commafeed.backend.model.ApplicationSettings; import com.commafeed.backend.model.ApplicationSettings;
import com.commafeed.backend.services.ApplicationSettingsService; import com.commafeed.backend.services.ApplicationSettingsService;
import com.commafeed.frontend.CommaFeedSession;
import com.commafeed.frontend.utils.WicketUtils; import com.commafeed.frontend.utils.WicketUtils;
import com.commafeed.frontend.utils.exception.DisplayException; import com.commafeed.frontend.utils.exception.DisplayException;
import com.google.api.client.auth.oauth2.AuthorizationCodeResponseUrl; import com.google.api.client.auth.oauth2.AuthorizationCodeResponseUrl;
@@ -89,8 +90,7 @@ public class GoogleImportCallbackPage extends WebPage {
BearerToken.authorizationHeaderAccessMethod().intercept( BearerToken.authorizationHeaderAccessMethod().intercept(
httpRequest, accessToken); httpRequest, accessToken);
String opml = httpRequest.execute().parseAsString(); String opml = httpRequest.execute().parseAsString();
String state = responseUrl.getState(); importer.importOpml(CommaFeedSession.get().getUser(), opml);
importer.importOpml(userDAO.findById(Long.valueOf(state)), opml);
} catch (Exception e) { } catch (Exception e) {
throw new DisplayException(e); throw new DisplayException(e);
} }

3
src/main/java/com/commafeed/frontend/pages/GoogleImportRedirectPage.java
View File

@@ -11,7 +11,6 @@ import org.jboss.logging.Logger;
import com.commafeed.backend.model.ApplicationSettings; import com.commafeed.backend.model.ApplicationSettings;
import com.commafeed.backend.services.ApplicationSettingsService; import com.commafeed.backend.services.ApplicationSettingsService;
import com.commafeed.frontend.CommaFeedSession;
@SuppressWarnings("serial") @SuppressWarnings("serial")
public class GoogleImportRedirectPage extends WebPage { public class GoogleImportRedirectPage extends WebPage {
@@ -40,8 +39,6 @@ public class GoogleImportRedirectPage extends WebPage {
builder.addParameter("scope", SCOPE); builder.addParameter("scope", SCOPE);
builder.addParameter("approval_prompt", "force"); builder.addParameter("approval_prompt", "force");
builder.addParameter("client_id", clientId); builder.addParameter("client_id", clientId);
builder.addParameter("state",
String.valueOf(CommaFeedSession.get().getUser().getId()));
throw new RedirectToUrlException(builder.build().toString()); throw new RedirectToUrlException(builder.build().toString());
} catch (URISyntaxException e) { } catch (URISyntaxException e) {