From e3d2dc292fd7eb044c69ac3ccaf9d436e69a498f Mon Sep 17 00:00:00 2001 From: Andrew DeMaria Date: Sat, 15 Apr 2017 16:38:33 -0600 Subject: [PATCH] Fix csrf token with multipart upload Signed-off-by: Andrew DeMaria --- .../org/libresonic/player/boot/Application.java | 2 ++ .../controller/AvatarUploadController.java | 7 +++---- .../controller/ImportPlaylistController.java | 17 ++++++++++++----- .../player/controller/UploadController.java | 2 +- .../main/webapp/WEB-INF/jsp/importPlaylist.jsp | 3 +-- .../src/main/webapp/WEB-INF/jsp/more.jsp | 3 +-- .../webapp/WEB-INF/jsp/personalSettings.jsp | 3 +-- 7 files changed, 21 insertions(+), 16 deletions(-) diff --git a/libresonic-main/src/main/java/org/libresonic/player/boot/Application.java b/libresonic-main/src/main/java/org/libresonic/player/boot/Application.java index 4e82c11a..274c3595 100644 --- a/libresonic-main/src/main/java/org/libresonic/player/boot/Application.java +++ b/libresonic-main/src/main/java/org/libresonic/player/boot/Application.java @@ -11,6 +11,7 @@ import org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerA import org.springframework.boot.autoconfigure.jdbc.JdbcTemplateAutoConfiguration; import org.springframework.boot.autoconfigure.jmx.JmxAutoConfiguration; import org.springframework.boot.autoconfigure.liquibase.LiquibaseAutoConfiguration; +import org.springframework.boot.autoconfigure.web.MultipartAutoConfiguration; import org.springframework.boot.builder.SpringApplicationBuilder; import org.springframework.boot.context.embedded.ConfigurableEmbeddedServletContainer; import org.springframework.boot.context.embedded.EmbeddedServletContainerCustomizer; @@ -32,6 +33,7 @@ import java.lang.reflect.Method; JdbcTemplateAutoConfiguration.class, DataSourceAutoConfiguration.class, DataSourceTransactionManagerAutoConfiguration.class, + MultipartAutoConfiguration.class, // TODO: update to use spring boot builtin multipart support LiquibaseAutoConfiguration.class}) @Configuration @ImportResource(value = {"classpath:/applicationContext-service.xml", diff --git a/libresonic-main/src/main/java/org/libresonic/player/controller/AvatarUploadController.java b/libresonic-main/src/main/java/org/libresonic/player/controller/AvatarUploadController.java index 1ab390c6..d33a2bb5 100644 --- a/libresonic-main/src/main/java/org/libresonic/player/controller/AvatarUploadController.java +++ b/libresonic-main/src/main/java/org/libresonic/player/controller/AvatarUploadController.java @@ -24,7 +24,7 @@ import org.apache.commons.fileupload.FileItemFactory; import org.apache.commons.fileupload.disk.DiskFileItemFactory; import org.apache.commons.fileupload.servlet.ServletFileUpload; import org.apache.commons.io.FilenameUtils; -import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringUtils; import org.libresonic.player.Logger; import org.libresonic.player.domain.Avatar; import org.libresonic.player.service.SecurityService; @@ -38,7 +38,6 @@ import org.springframework.web.servlet.ModelAndView; import javax.imageio.ImageIO; import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; import java.awt.image.BufferedImage; import java.io.ByteArrayInputStream; @@ -66,8 +65,8 @@ public class AvatarUploadController { @Autowired private SecurityService securityService; - @RequestMapping(method = RequestMethod.GET) - protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception { + @RequestMapping(method = RequestMethod.POST) + protected ModelAndView handleRequestInternal(HttpServletRequest request) throws Exception { String username = securityService.getCurrentUsername(request); diff --git a/libresonic-main/src/main/java/org/libresonic/player/controller/ImportPlaylistController.java b/libresonic-main/src/main/java/org/libresonic/player/controller/ImportPlaylistController.java index 95b7480b..29b8903b 100644 --- a/libresonic-main/src/main/java/org/libresonic/player/controller/ImportPlaylistController.java +++ b/libresonic-main/src/main/java/org/libresonic/player/controller/ImportPlaylistController.java @@ -32,10 +32,9 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; -import org.springframework.web.servlet.ModelAndView; +import org.springframework.web.servlet.mvc.support.RedirectAttributes; import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; import java.util.HashMap; import java.util.List; @@ -55,8 +54,10 @@ public class ImportPlaylistController { @Autowired private PlaylistService playlistService; - @RequestMapping(method = RequestMethod.GET) - protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception { + @RequestMapping(method = RequestMethod.POST) + protected String handlePost(RedirectAttributes redirectAttributes, + HttpServletRequest request + ) throws Exception { Map map = new HashMap(); try { @@ -85,7 +86,13 @@ public class ImportPlaylistController { map.put("error", e.getMessage()); } - return new ModelAndView("importPlaylist","model",map); + redirectAttributes.addFlashAttribute("model", map); + return "redirect:importPlaylist"; + } + + @RequestMapping(method = RequestMethod.GET) + public String handleGet() { + return "importPlaylist"; } diff --git a/libresonic-main/src/main/java/org/libresonic/player/controller/UploadController.java b/libresonic-main/src/main/java/org/libresonic/player/controller/UploadController.java index 924c7ad9..597e2abe 100644 --- a/libresonic-main/src/main/java/org/libresonic/player/controller/UploadController.java +++ b/libresonic-main/src/main/java/org/libresonic/player/controller/UploadController.java @@ -70,7 +70,7 @@ public class UploadController { private SettingsService settingsService; public static final String UPLOAD_STATUS = "uploadStatus"; - @RequestMapping(method = RequestMethod.GET) + @RequestMapping(method = { RequestMethod.POST }) protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception { Map map = new HashMap<>(); diff --git a/libresonic-main/src/main/webapp/WEB-INF/jsp/importPlaylist.jsp b/libresonic-main/src/main/webapp/WEB-INF/jsp/importPlaylist.jsp index 419f8bbe..ece723d8 100644 --- a/libresonic-main/src/main/webapp/WEB-INF/jsp/importPlaylist.jsp +++ b/libresonic-main/src/main/webapp/WEB-INF/jsp/importPlaylist.jsp @@ -29,8 +29,7 @@
-
- + "/> diff --git a/libresonic-main/src/main/webapp/WEB-INF/jsp/more.jsp b/libresonic-main/src/main/webapp/WEB-INF/jsp/more.jsp index 69e614e5..93a9b7d9 100644 --- a/libresonic-main/src/main/webapp/WEB-INF/jsp/more.jsp +++ b/libresonic-main/src/main/webapp/WEB-INF/jsp/more.jsp @@ -300,8 +300,7 @@ -
- + diff --git a/libresonic-main/src/main/webapp/WEB-INF/jsp/personalSettings.jsp b/libresonic-main/src/main/webapp/WEB-INF/jsp/personalSettings.jsp index 75b2d4bc..e6c6ddde 100644 --- a/libresonic-main/src/main/webapp/WEB-INF/jsp/personalSettings.jsp +++ b/libresonic-main/src/main/webapp/WEB-INF/jsp/personalSettings.jsp @@ -242,8 +242,7 @@

- - +