Fix csrf token with multipart upload

Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
master
Andrew DeMaria 8 years ago
parent 589909b906
commit e3d2dc292f
No known key found for this signature in database
GPG Key ID: 0A3F5E91F8364EDF
  1. 2
      libresonic-main/src/main/java/org/libresonic/player/boot/Application.java
  2. 7
      libresonic-main/src/main/java/org/libresonic/player/controller/AvatarUploadController.java
  3. 17
      libresonic-main/src/main/java/org/libresonic/player/controller/ImportPlaylistController.java
  4. 2
      libresonic-main/src/main/java/org/libresonic/player/controller/UploadController.java
  5. 3
      libresonic-main/src/main/webapp/WEB-INF/jsp/importPlaylist.jsp
  6. 3
      libresonic-main/src/main/webapp/WEB-INF/jsp/more.jsp
  7. 3
      libresonic-main/src/main/webapp/WEB-INF/jsp/personalSettings.jsp

@ -11,6 +11,7 @@ import org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerA
import org.springframework.boot.autoconfigure.jdbc.JdbcTemplateAutoConfiguration;
import org.springframework.boot.autoconfigure.jmx.JmxAutoConfiguration;
import org.springframework.boot.autoconfigure.liquibase.LiquibaseAutoConfiguration;
import org.springframework.boot.autoconfigure.web.MultipartAutoConfiguration;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.boot.context.embedded.ConfigurableEmbeddedServletContainer;
import org.springframework.boot.context.embedded.EmbeddedServletContainerCustomizer;
@ -32,6 +33,7 @@ import java.lang.reflect.Method;
JdbcTemplateAutoConfiguration.class,
DataSourceAutoConfiguration.class,
DataSourceTransactionManagerAutoConfiguration.class,
MultipartAutoConfiguration.class, // TODO: update to use spring boot builtin multipart support
LiquibaseAutoConfiguration.class})
@Configuration
@ImportResource(value = {"classpath:/applicationContext-service.xml",

@ -24,7 +24,7 @@ import org.apache.commons.fileupload.FileItemFactory;
import org.apache.commons.fileupload.disk.DiskFileItemFactory;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.StringUtils;
import org.libresonic.player.Logger;
import org.libresonic.player.domain.Avatar;
import org.libresonic.player.service.SecurityService;
@ -38,7 +38,6 @@ import org.springframework.web.servlet.ModelAndView;
import javax.imageio.ImageIO;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.awt.image.BufferedImage;
import java.io.ByteArrayInputStream;
@ -66,8 +65,8 @@ public class AvatarUploadController {
@Autowired
private SecurityService securityService;
@RequestMapping(method = RequestMethod.GET)
protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception {
@RequestMapping(method = RequestMethod.POST)
protected ModelAndView handleRequestInternal(HttpServletRequest request) throws Exception {
String username = securityService.getCurrentUsername(request);

@ -32,10 +32,9 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.support.RedirectAttributes;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.HashMap;
import java.util.List;
@ -55,8 +54,10 @@ public class ImportPlaylistController {
@Autowired
private PlaylistService playlistService;
@RequestMapping(method = RequestMethod.GET)
protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception {
@RequestMapping(method = RequestMethod.POST)
protected String handlePost(RedirectAttributes redirectAttributes,
HttpServletRequest request
) throws Exception {
Map<String, Object> map = new HashMap<String, Object>();
try {
@ -85,7 +86,13 @@ public class ImportPlaylistController {
map.put("error", e.getMessage());
}
return new ModelAndView("importPlaylist","model",map);
redirectAttributes.addFlashAttribute("model", map);
return "redirect:importPlaylist";
}
@RequestMapping(method = RequestMethod.GET)
public String handleGet() {
return "importPlaylist";
}

@ -70,7 +70,7 @@ public class UploadController {
private SettingsService settingsService;
public static final String UPLOAD_STATUS = "uploadStatus";
@RequestMapping(method = RequestMethod.GET)
@RequestMapping(method = { RequestMethod.POST })
protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception {
Map<String, Object> map = new HashMap<>();

@ -29,8 +29,7 @@
<div style="padding-bottom: 0.25em">
<fmt:message key="importPlaylist.text"/>
</div>
<form method="post" enctype="multipart/form-data" action="importPlaylist.view">
<sec:csrfInput />
<form method="post" enctype="multipart/form-data" action="importPlaylist.view?${_csrf.parameterName}=${_csrf.token}">
<input type="file" id="file" name="file" size="40"/>
<input type="submit" value="<fmt:message key="common.ok"/>"/>
</form>

@ -300,8 +300,7 @@
<span style="vertical-align: middle"><fmt:message key="more.upload.title"/></span>
</h2>
<form method="post" enctype="multipart/form-data" action="upload.view">
<sec:csrfInput />
<form method="post" enctype="multipart/form-data" action="upload.view?${_csrf.parameterName}=${_csrf.token}">
<table>
<tr>
<td><fmt:message key="more.upload.source"/></td>

@ -242,8 +242,7 @@
</p>
</form:form>
<form method="post" enctype="multipart/form-data" action="avatarUpload.view">
<sec:csrfInput />
<form method="post" enctype="multipart/form-data" action="avatarUpload.view?${_csrf.parameterName}=${_csrf.token}">
<table>
<tr>
<td style="padding-right:1em"><fmt:message key="personalsettings.avatar.changecustom"/></td>

Loading…
Cancel
Save