[ofbiz-framework] branch trunk updated: Improved: Clean how HTTP vs HTTPS is handled

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 32a71c9  Improved: Clean how HTTP vs HTTPS is handled
32a71c9 is described below

commit 32a71c9af4a8fee8183ddee7eb4599e8854ce32b
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Wed May 20 13:01:22 2020 +0200

    Improved: Clean how HTTP vs HTTPS is handled
   
    (OFBIZ-11717)
   
    No functional changes, just better comments
---
 .../java/org/apache/ofbiz/webapp/control/RequestHandler.java  | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index b17a55b..d9a5251 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -323,12 +323,14 @@ public class RequestHandler {
             // Check if we SHOULD be secure and are not.
             boolean forwardedHTTPS = "HTTPS".equalsIgnoreCase(request.getHeader("X-Forwarded-Proto"));
             if (!request.isSecure() && !forwardedHTTPS && requestMap.securityHttps) {
-                // If the request method was POST then return an error to avoid problems with XSRF where the request may have come from another machine/program and had the same session ID but was not encrypted as it should have been (we used to let it pass to not lose data since it was too late to protect that data anyway)
+                // If the request method was POST then return an error to avoid problems with CSRF where the request
+                // may have come from another machine/program and had the same session ID but was not encrypted as it
+                // should have been (we used to let it pass to not lose data since it was too late to protect that data anyway)
                 if ("POST".equalsIgnoreCase(request.getMethod())) {
-                    // we can't redirect with the body parameters, and for better security from XSRF, just return an error message
+                    // we can't redirect with the body parameters, and for better security from CSRF, just return an error message
                     Locale locale = UtilHttp.getLocale(request);
                     String errMsg = UtilProperties.getMessage("WebappUiLabels", "requestHandler.InsecureFormPostToSecureRequest", locale);
-                    Debug.logError("Got a insecure (non-https) form POST to a secure (http) request [" + requestMap.uri + "], returning error", MODULE);
+                    Debug.logError("Got an insecure (non HTTPS) form POST to a secure (HTTPS) request [" + requestMap.uri + "], returning error", MODULE);
 
                     // see if HTTPS is enabled, if not then log a warning instead of throwing an exception
                     Boolean enableHttps = null;
@@ -346,7 +348,8 @@ public class RequestHandler {
                     }
 
                     if (Boolean.FALSE.equals(enableHttps)) {
-                        Debug.logWarning("HTTPS is disabled for this site, so we can't tell if this was encrypted or not which means if a form was POSTed and it was not over HTTPS we don't know, but it would be vulnerable to an XSRF and other attacks: " + errMsg, MODULE);
+                        Debug.logWarning("HTTPS is disabled for this site, so we can't tell if this was encrypted or not which means if a form was POSTed "
+                                + "and it was not over HTTPS we don't know, but it would be vulnerable to an CSRF and other attacks: " + errMsg, MODULE);
                     } else {
                         throw new RequestHandlerException(errMsg);
                     }