Feature #7585 » 0002-Log-unexpected-GET-requests-on-Ajax-sessions.patch
| src/web/WebSession.C | ||
|---|---|---|
|
}
|
||
|
const std::string *requestE = request.getParameter("request");
|
||
|
bool requestForResource = requestE && *requestE == "resource";
|
||
|
if (requestE && *requestE == "ws" && !request.isWebSocketRequest()) {
|
||
| ... | ... | |
|
* Only handle GET, POST and OPTIONS requests, unless a resource is
|
||
|
* listening.
|
||
|
*/
|
||
|
if (!((requestE && *requestE == "resource")
|
||
|
if (!(requestForResource
|
||
|
|| isEqual(request.requestMethod(), "POST")
|
||
|
|| isEqual(request.requestMethod(), "GET"))) {
|
||
|
handler.response()->setStatus(400); // Bad Request
|
||
| ... | ... | |
|
return;
|
||
|
}
|
||
|
/*
|
||
|
* If ajax session is already established, reject GET with wtd parameter
|
||
|
* matching sessionId_, unless resource request or reloadIsNewSession() is false
|
||
|
*/
|
||
|
if (env_->ajax()
|
||
|
&& isEqual(request.requestMethod(), "GET")
|
||
|
&& !requestForResource
|
||
|
&& conf.reloadIsNewSession()
|
||
|
&& wtdE && *wtdE == sessionId_) {
|
||
|
LOG_SECURE("Unexpected GET request with wtd of existing Ajax session");
|
||
|
serveError(403, handler, "Forbidden");
|
||
|
return;
|
||
|
}
|
||
|
/*
|
||
|
* Under what circumstances do we allow a request which does not have
|
||
|
* a session ID (i.e. who as it only through a cookie?)
|
||
| ... | ... | |
|
}
|
||
|
break; }
|
||
|
case EntryPointType::WidgetSet:
|
||
|
if (requestE && *requestE == "resource") {
|
||
|
if (requestForResource) {
|
||
|
const std::string *resourceE = request.getParameter("resource");
|
||
|
if (resourceE && *resourceE == "blank") {
|
||
|
handler.response()->setContentType("text/html");
|
||
| ... | ... | |
|
}
|
||
|
}
|
||
|
bool requestForResource = requestE && *requestE == "resource";
|
||
|
if (!app_) {
|
||
|
const std::string *resourceE = request.getParameter("resource");
|
||
- « Previous
- 1
- 2
- Next »