Fix Wikidata login CSRF issue. Closes #2228.

2019-12-25 11:02:19 +01:00 · 2019-12-25 11:02:19 +01:00 · fe57897e8e
commit fe57897e8e
parent 4edbd40b6a
2 changed files with 12 additions and 2 deletions
--- a/extensions/wikidata/src/org/openrefine/wikidata/commands/LoginCommand.java
+++ b/extensions/wikidata/src/org/openrefine/wikidata/commands/LoginCommand.java
@ -45,7 +45,11 @@ public class LoginCommand extends Command {
    		respondCSRFError(response);
    		return;
    	}
-    	
+    	respond(request, response);
+    }
+    
+    protected void respond(HttpServletRequest request, HttpServletResponse response)
+    	throws ServletException, IOException {
        String username = request.getParameter("wb-username");
        String password = request.getParameter("wb-password");
        String remember = request.getParameter("remember-credentials");
@ -74,6 +78,6 @@ public class LoginCommand extends Command {
    @Override
    public void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
-        doPost(request, response);
+        respond(request, response);
    }
 }
--- a/extensions/wikidata/tests/src/org/openrefine/wikidata/commands/LoginCommandTest.java
+++ b/extensions/wikidata/tests/src/org/openrefine/wikidata/commands/LoginCommandTest.java
@ -34,4 +34,10 @@ public class LoginCommandTest extends CommandTest {
    	command.doPost(request, response);
    	TestUtils.assertEqualAsJson("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", writer.toString());
    }
+    
+    @Test
+    public void testGetNotCsrfProtected() throws ServletException, IOException {
+    	command.doGet(request, response);
+    	TestUtils.assertEqualAsJson("{\"logged_in\":false,\"username\":null}", writer.toString());
+    }
 }