MightyPork
/
airsonic-custom
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix csrf token with multipart upload

Browse Source 
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
master
Andrew DeMaria 8 years ago
parent 589909b906
commit e3d2dc292f
No known key found for this signature in database
GPG Key ID: 0A3F5E91F8364EDF
7 changed files with 21 additions and 16 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      libresonic-main/src/main/java/org/libresonic/player/boot/Application.java
  2. 7
      libresonic-main/src/main/java/org/libresonic/player/controller/AvatarUploadController.java
  3. 17
      libresonic-main/src/main/java/org/libresonic/player/controller/ImportPlaylistController.java
  4. 2
      libresonic-main/src/main/java/org/libresonic/player/controller/UploadController.java
  5. 3
      libresonic-main/src/main/webapp/WEB-INF/jsp/importPlaylist.jsp
  6. 3
      libresonic-main/src/main/webapp/WEB-INF/jsp/more.jsp
  7. 3
      libresonic-main/src/main/webapp/WEB-INF/jsp/personalSettings.jsp

2
libresonic-main/src/main/java/org/libresonic/player/boot/Application.java
Unescape View File

@ -11,6 +11,7 @@ import org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerA
import org.springframework.boot.autoconfigure.jdbc.JdbcTemplateAutoConfiguration;
import org.springframework.boot.autoconfigure.jmx.JmxAutoConfiguration;
import org.springframework.boot.autoconfigure.liquibase.LiquibaseAutoConfiguration;
import org.springframework.boot.autoconfigure.web.MultipartAutoConfiguration;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.boot.context.embedded.ConfigurableEmbeddedServletContainer;
import org.springframework.boot.context.embedded.EmbeddedServletContainerCustomizer;
@ -32,6 +33,7 @@ import java.lang.reflect.Method;
JdbcTemplateAutoConfiguration.class,
DataSourceAutoConfiguration.class,
DataSourceTransactionManagerAutoConfiguration.class,
MultipartAutoConfiguration.class, // TODO: update to use spring boot builtin multipart support
LiquibaseAutoConfiguration.class})
@Configuration
@ImportResource(value = {"classpath:/applicationContext-service.xml",

7
libresonic-main/src/main/java/org/libresonic/player/controller/AvatarUploadController.java
Unescape View File

@ -24,7 +24,7 @@ import org.apache.commons.fileupload.FileItemFactory;
import org.apache.commons.fileupload.disk.DiskFileItemFactory;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.StringUtils;
import org.libresonic.player.Logger;
import org.libresonic.player.domain.Avatar;
import org.libresonic.player.service.SecurityService;
@ -38,7 +38,6 @@ import org.springframework.web.servlet.ModelAndView;
import javax.imageio.ImageIO;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.awt.image.BufferedImage;
import java.io.ByteArrayInputStream;
@ -66,8 +65,8 @@ public class AvatarUploadController {
@Autowired
private SecurityService securityService;
@RequestMapping(method = RequestMethod.GET)
protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception {
@RequestMapping(method = RequestMethod.POST)
protected ModelAndView handleRequestInternal(HttpServletRequest request) throws Exception {
String username = securityService.getCurrentUsername(request);

17
libresonic-main/src/main/java/org/libresonic/player/controller/ImportPlaylistController.java
Unescape View File

@ -32,10 +32,9 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.support.RedirectAttributes;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.HashMap;
import java.util.List;
@ -55,8 +54,10 @@ public class ImportPlaylistController {
@Autowired
private PlaylistService playlistService;
@RequestMapping(method = RequestMethod.GET)
protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception {
@RequestMapping(method = RequestMethod.POST)
protected String handlePost(RedirectAttributes redirectAttributes,
HttpServletRequest request
) throws Exception {
Map<String, Object> map = new HashMap<String, Object>();
try {
@ -85,7 +86,13 @@ public class ImportPlaylistController {
map.put("error", e.getMessage());
}
return new ModelAndView("importPlaylist","model",map);
redirectAttributes.addFlashAttribute("model", map);
return "redirect:importPlaylist";
}
@RequestMapping(method = RequestMethod.GET)
public String handleGet() {
return "importPlaylist";
}

2
libresonic-main/src/main/java/org/libresonic/player/controller/UploadController.java
Unescape View File

@ -70,7 +70,7 @@ public class UploadController {
private SettingsService settingsService;
public static final String UPLOAD_STATUS = "uploadStatus";
@RequestMapping(method = RequestMethod.GET)
@RequestMapping(method = { RequestMethod.POST })
protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception {
Map<String, Object> map = new HashMap<>();

3
libresonic-main/src/main/webapp/WEB-INF/jsp/importPlaylist.jsp
Unescape View File

@ -29,8 +29,7 @@
<div style="padding-bottom: 0.25em">
<fmt:message key="importPlaylist.text"/>
</div>
<form method="post" enctype="multipart/form-data" action="importPlaylist.view">
<sec:csrfInput />
<form method="post" enctype="multipart/form-data" action="importPlaylist.view?${_csrf.parameterName}=${_csrf.token}">
<input type="file" id="file" name="file" size="40"/>
<input type="submit" value="<fmt:message key="common.ok"/>"/>
</form>

3
libresonic-main/src/main/webapp/WEB-INF/jsp/more.jsp
Unescape View File

@ -300,8 +300,7 @@
<span style="vertical-align: middle"><fmt:message key="more.upload.title"/></span>
</h2>
<form method="post" enctype="multipart/form-data" action="upload.view">
<sec:csrfInput />
<form method="post" enctype="multipart/form-data" action="upload.view?${_csrf.parameterName}=${_csrf.token}">
<table>
<tr>
<td><fmt:message key="more.upload.source"/></td>

3
libresonic-main/src/main/webapp/WEB-INF/jsp/personalSettings.jsp
Unescape View File

@ -242,8 +242,7 @@
</p>
</form:form>
<form method="post" enctype="multipart/form-data" action="avatarUpload.view">
<sec:csrfInput />
<form method="post" enctype="multipart/form-data" action="avatarUpload.view?${_csrf.parameterName}=${_csrf.token}">
<table>
<tr>
<td style="padding-right:1em"><fmt:message key="personalsettings.avatar.changecustom"/></td>

Write Preview
Loading…
Cancel
Save