Fix Wikidata login CSRF issue. Closes #2228.

This commit is contained in:
Antonin Delpeuch 2019-12-25 11:02:19 +01:00
parent 4edbd40b6a
commit fe57897e8e
2 changed files with 12 additions and 2 deletions

View File

@ -45,7 +45,11 @@ public class LoginCommand extends Command {
respondCSRFError(response);
return;
}
respond(request, response);
}
protected void respond(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String username = request.getParameter("wb-username");
String password = request.getParameter("wb-password");
String remember = request.getParameter("remember-credentials");
@ -74,6 +78,6 @@ public class LoginCommand extends Command {
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doPost(request, response);
respond(request, response);
}
}

View File

@ -34,4 +34,10 @@ public class LoginCommandTest extends CommandTest {
command.doPost(request, response);
TestUtils.assertEqualAsJson("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", writer.toString());
}
@Test
public void testGetNotCsrfProtected() throws ServletException, IOException {
command.doGet(request, response);
TestUtils.assertEqualAsJson("{\"logged_in\":false,\"username\":null}", writer.toString());
}
}