From 0e2641f53aebe7cb0e796b5374af72767a8996c4 Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Sat, 10 Jul 2010 16:10:33 +0000
Subject: [PATCH] Improve CSRF protection filter by using SecureRandom rather
 than Random

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@962865 13f79535-47bb-0310-9956-ffa450edef68
---
 java/org/apache/catalina/filters/CsrfPreventionFilter.java | 3 ++-
 webapps/docs/changelog.xml                                 | 4 ++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index 73dffe5c1..471324dfc 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -18,6 +18,7 @@
 package org.apache.catalina.filters;
 
 import java.io.IOException;
+import java.security.SecureRandom;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
@@ -50,7 +51,7 @@ public class CsrfPreventionFilter extends FilterBase {
     private static final Log log =
         LogFactory.getLog(CsrfPreventionFilter.class);
     
-    private final Random randomSource = new Random();
+    private final Random randomSource = new SecureRandom();
 
     private final Set<String> entryPoints = new HashSet<String>();
     
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 5dc5e1052..f68d8871e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -130,6 +130,10 @@
         Include session ID in error message logged when trying to set an
         attribute on an invalid session. (markt)
       </add>
+      <fix>
+        Improve the CSRF protection filter by using SecureRandom rather than
+        Random to generate nonces. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">
-- 
2.11.0