diff options
author | Chris Goldthorpe | 2010-03-23 20:59:50 +0000 |
---|---|---|
committer | Chris Goldthorpe | 2010-03-23 20:59:50 +0000 |
commit | a1c59735faa6e6187c3b49fe0a5248fcaffc926d (patch) | |
tree | fcdee71dd2e497bc784cd004fb6c6c3f01d80b41 /org.eclipse.help.webapp | |
parent | 1b757d595aa01a519e153f880c7ee59454cbc0bd (diff) | |
download | eclipse.platform.ua-a1c59735faa6e6187c3b49fe0a5248fcaffc926d.tar.gz eclipse.platform.ua-a1c59735faa6e6187c3b49fe0a5248fcaffc926d.tar.xz eclipse.platform.ua-a1c59735faa6e6187c3b49fe0a5248fcaffc926d.zip |
Bug 306455 - [Webapp] Security of scope name in cookie
Diffstat (limited to 'org.eclipse.help.webapp')
-rw-r--r-- | org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/RequestScope.java | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/RequestScope.java b/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/RequestScope.java index 166d9578b..3da9952fa 100644 --- a/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/RequestScope.java +++ b/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/RequestScope.java @@ -116,19 +116,20 @@ public class RequestScope { public static void setScopeFromRequest(HttpServletRequest request, HttpServletResponse response) { // See if there is a scope parameter, if so save as cookie or preference String[] scope = request.getParameterValues(SCOPE_PARAMETER_NAME); - String scopeString = null; + String scopeString = ""; //$NON-NLS-1$ // save scope (in session cookie) for later use in a user session // If there are multiple values separate them with a '/' if (scope != null) { - scopeString = scope[0]; - for (int s = 1; s < scope.length; s++) { - scopeString += '/'; - scopeString += scope[s]; + for (int s = 0; s < scope.length; s++) { + if (ScopeRegistry.getInstance().getScope(scope[s]) != null) { + if (scopeString.length() > 0) { + scopeString += '/'; + } + scopeString += scope[s]; + } } - saveScope(scopeString, response); - } else { - saveScope("", response); //$NON-NLS-1$ } + saveScope(scopeString, response); } public static void saveScope(String scope, HttpServletResponse response) { |