projects / tomcat7.0 / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b28b4cd)
Improve CSRF protection filter by using SecureRandom rather than Random
authormarkt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Sat, 10 Jul 2010 16:10:33 +0000 (16:10 +0000)
committermarkt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Sat, 10 Jul 2010 16:10:33 +0000 (16:10 +0000)
git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@962865 13f79535-47bb-0310-9956-ffa450edef68

java/org/apache/catalina/filters/CsrfPreventionFilter.java patch | blob | history
webapps/docs/changelog.xml patch | blob | history

diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index 73dffe5..471324d 100644 (file)
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -18,6 +18,7 @@
 package org.apache.catalina.filters;
 
 import java.io.IOException;
+import java.security.SecureRandom;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
@@ -50,7 +51,7 @@ public class CsrfPreventionFilter extends FilterBase {
     private static final Log log =
         LogFactory.getLog(CsrfPreventionFilter.class);
     
-    private final Random randomSource = new Random();
+    private final Random randomSource = new SecureRandom();
 
     private final Set<String> entryPoints = new HashSet<String>();
     
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 5dc5e10..f68d887 100644 (file)
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -130,6 +130,10 @@
         Include session ID in error message logged when trying to set an
         attribute on an invalid session. (markt)
       </add>
+      <fix>
+        Improve the CSRF protection filter by using SecureRandom rather than
+        Random to generate nonces. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">
Unnamed repository; edit this file to name it for gitweb.