From 83aaccae5021b9e6a8163d2dfd72ae3a12bc4ab0 Mon Sep 17 00:00:00 2001
From: senju <senju@users.sourceforge.jp>
Date: Sun, 23 Aug 2009 18:26:56 +0900
Subject: [PATCH] =?utf8?q?CSRF=E3=82=A4=E3=83=B3=E3=82=BF=E3=83=BC?=
 =?utf8?q?=E3=82=BB=E3=83=97=E3=82=BF=E3=83=BC=E3=82=92=E3=83=9E=E3=82=B7?=
 =?utf8?q?=E3=81=AB=E3=80=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

æéãã§ãã¯ãå®è£ããã¿ããã©ã¦ã¶ç­ã«å¯¾å¿ã
---
 .../rabbitBTS/interceptors/CSRFInterceptor.java    | 85 +++++++++++++++++-----
 war/WEB-INF/rabbitBTS-servlet.xml                  |  4 +-
 2 files changed, 71 insertions(+), 18 deletions(-)
diff --git a/src/jp/sourceforge/rabbitBTS/interceptors/CSRFInterceptor.java b/src/jp/sourceforge/rabbitBTS/interceptors/CSRFInterceptor.java
index 439ac03..42add8f 100644
--- a/src/jp/sourceforge/rabbitBTS/interceptors/CSRFInterceptor.java
+++ b/src/jp/sourceforge/rabbitBTS/interceptors/CSRFInterceptor.java
@@ -17,9 +17,11 @@
 
 package jp.sourceforge.rabbitBTS.interceptors;
 
+import java.util.ArrayList;
 import java.util.Date;
-import java.util.LinkedList;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -36,6 +38,7 @@ import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
  * CSRFå¯¾ç­ç¨ã¤ã³ã¿ã¼ã»ãã¿ã¼
  */
 public class CSRFInterceptor extends HandlerInterceptorAdapter {
+	private int expireInSecond;
 
 	/**
 	 * POSTã®å ´åãã§ãã¯å¦ç
@@ -84,17 +87,29 @@ public class CSRFInterceptor extends HandlerInterceptorAdapter {
 		}
 	}
 
+	/**
+	 * ãã§ãã¯ç¨ã¯ã©ã¹
+	 */
 	class CsrfChecker {
 		private final HttpServletRequest req;
-		private List<Object> tokenList;
+		private Map<String, Date> tokens;
 
+		/**
+		 * ã³ã³ã¹ãã©ã¯ã¿
+		 * 
+		 * <p>
+		 * ã»ãã·ã§ã³ã«ãã¼ã¯ã³ã®ãªã¹ããå­å¨ããªãå ´åãæ°è¦ã«ä½æãã»ãã·ã§ã³ã«ä¿å­ããã
+		 * 
+		 * @param request
+		 */
+		@SuppressWarnings("unchecked")
 		public CsrfChecker(HttpServletRequest request) {
 			this.req = request;
-			this.tokenList = (List) request.getSession().getAttribute(
-					"tokenList");
-			if (this.tokenList == null) {
-				this.tokenList = new LinkedList<Object>();
-				request.getSession().setAttribute("tokenList", this.tokenList);
+			this.tokens = (Map<String, Date>) request.getSession()
+					.getAttribute("tokens");
+			if (this.tokens == null) {
+				this.tokens = new HashMap<String, Date>();
+				request.getSession().setAttribute("tokens", this.tokens);
 			}
 		}
 
@@ -105,26 +120,62 @@ public class CSRFInterceptor extends HandlerInterceptorAdapter {
 		 */
 		public String saveNewToken() {
 			final String token = RandomStringUtils.randomAlphanumeric(128);
-			this.tokenList.add(token);
-			this.tokenList.add(new Date());
-
+			this.tokens.put(token, new Date());
 			return token;
 		}
 
+		/**
+		 * ãã§ãã¯ãè¡ã
+		 * 
+		 * @return æ­£ãããã©ã¡ã¼ã¿ãéä¿¡ãããå ´åtrue
+		 */
 		public boolean checkTokenValid() {
 			final String reqToken = this.req.getParameter("secureToken");
+			final Date datenow = new Date();
+			// ãã¼ã¯ã³ãã§ãã¯
 			boolean found = false;
-			for (int i = 0; i < this.tokenList.size(); i += 2) {
-				final String token = (String) this.tokenList.get(i);
-				if (token.equals(reqToken)) {
-					// TODO:æéãã§ãã¯
-					found = true;
-					break;
+			if (this.tokens.containsKey(reqToken)) {
+				found = checkExpire(datenow, this.tokens.get(reqToken));
+			}
+
+			// åé¤ãã§ãã¯
+			if (this.tokens.size() > 30) {
+				final List<String> removeList = new ArrayList<String>();
+				for (final String token : this.tokens.keySet()) {
+					final Date created = this.tokens.get(token);
+					if (!this.checkExpire(datenow, created)) {
+						// æéåãã®å ´å
+						removeList.add(token);
+						Sht.log(this).finer("delete token: " + token);
+					}
+				}
+				for (final String token : removeList) {
+					this.tokens.remove(token);
 				}
 			}
-			// TODO:æéåãåé¤
+
 			return found;
 		}
+
+		/**
+		 * æéåãããã§ãã¯ããã
+		 * 
+		 * @param datenow
+		 * @param created
+		 * @return æéä»¥åã®å ´åtrue
+		 */
+		private boolean checkExpire(Date datenow, Date created) {
+			final long ageInMils = datenow.getTime() - created.getTime();
+			return ageInMils / 1000 < CSRFInterceptor.this.expireInSecond;
+		}
+	}
+
+	/**
+	 * @param expireInSecond
+	 *            the expireInSecond to set
+	 */
+	public void setExpireInSecond(int expireInMinute) {
+		this.expireInSecond = expireInMinute;
 	}
 
 }
diff --git a/war/WEB-INF/rabbitBTS-servlet.xml b/war/WEB-INF/rabbitBTS-servlet.xml
index 2baa492..0bba5d5 100644
--- a/war/WEB-INF/rabbitBTS-servlet.xml
+++ b/war/WEB-INF/rabbitBTS-servlet.xml
@@ -35,7 +35,9 @@
 	<bean class="jp.sourceforge.rabbitBTS.interceptors.AuthenticationInterceptor"
 		id="authInterceptor" />
 	<bean class="jp.sourceforge.rabbitBTS.interceptors.CSRFInterceptor"
-		id="csrf" />
+		id="csrf">
+		<property name="expireInSecond" value="60" />
+	</bean>
 	<bean
 		class="org.springframework.orm.jdo.support.OpenPersistenceManagerInViewInterceptor"
 		id="openInView">
-- 
2.11.0

