NotificationsYou must be signed in to change notification settings
Fork31
Star61

Commitf8081a1

zhourenjian

committed

Fixed bug that the first Simple RPC requests is not correctly dealt because of the

session problem.And now Simple RPC supports large request even when session cookie is disabled in browsers by using URL ";jsessionid=..." rewrite. If client developers do not like";jsessionid=...", make sure add a line:window["script.get.session.url"] = false;

1 parent86dea1a commitf8081a1Copy full SHA for f8081a1

File tree

2 files changed

+97

-37

lines changed

sources/net.sf.j2s.ajax/ajaxrpc/net/sf/j2s/ajax
- SimpleRPCHttpServlet.java
- SimpleRPCRequest.java

2 files changed

+97

-37

lines changed

`‎sources/net.sf.j2s.ajax/ajaxrpc/net/sf/j2s/ajax/SimpleRPCHttpServlet.java‎`

Lines changed: 29 additions & 27 deletions

Original file line number	Diff line number	Diff line change
`@@ -384,19 +384,19 @@ private String prepareScriptRequest(HttpServletRequest req, HttpServletResponse`
`384`	`384`	`returnnull;`
`385`	`385`	`}`
`386`	`386`
`387`		`-// clean dead session bodies`
`388`		`-cleanSession(req);`
`389`		`-`
`390`		`-// store request in session before the request is completed`
`391`		`-HttpSessionsession =req.getSession();`
`392`		`-`
`393`	`387`	`StringattrName ="jzn" +scriptRequestID;`
`394`	`388`	`StringattrTime ="jzt" +scriptRequestID;`
`395`	`389`	`String[]parts =null;`
`396`	`390`
`397`	`391`	`booleanbadRequest =false;`
`398`	`392`	`booleantoContinue =false;`
	`393`	`+`
	`394`	`+// store request in session before the request is completed`
	`395`	`+HttpSessionsession =req.getSession();`
`399`	`396`	`synchronized (session) {`
	`397`	`+// clean dead session bodies`
	`398`	`+cleanSession(session);`
	`399`	`+`
`400`	`400`	`Objectattr =session.getAttribute(attrName);`
`401`	`401`	`if (attr ==null) {`
`402`	`402`	`parts =newString[partsCount];`
`@@ -409,14 +409,12 @@ private String prepareScriptRequest(HttpServletRequest req, HttpServletResponse`
`409`	`409`	`}`
`410`	`410`	`}`
`411`	`411`	`if (!badRequest) {`
`412`		`-synchronized (parts) {`
`413`		`-parts[curPart -1] =request;`
`414`		`-for (inti =0;i <parts.length;i++) {`
`415`		`-if (parts[i] ==null) {`
`416`		`-// not completed yet! just response and wait next request.`
`417`		`-toContinue =true;`
`418`		`-break;`
`419`		`-}`
	`412`	`+parts[curPart -1] =request;`
	`413`	`+for (inti =0;i <parts.length;i++) {`
	`414`	`+if (parts[i] ==null) {`
	`415`	`+// not completed yet! just response and wait next request.`
	`416`	`+toContinue =true;`
	`417`	`+break;`
`420`	`418`	`}`
`421`	`419`	`}`
`422`	`420`	`if (!toContinue) {`
`@@ -433,7 +431,13 @@ private String prepareScriptRequest(HttpServletRequest req, HttpServletResponse`
`433`	`431`	`if (toContinue) {`
`434`	`432`	`resp.setContentType("text/javascript");`
`435`	`433`	`//resp.setCharacterEncoding("utf-8");`
`436`		`-resp.getWriter().write("net.sf.j2s.ajax.SimpleRPCRequest" +`
	`434`	`+PrintWriterwriter =resp.getWriter();`
	`435`	`+if (curPart ==1) {`
	`436`	`+// Cookie may be disabled in client side!`
	`437`	`+writer.write("net.sf.j2s.ajax.SimpleRPCRequest" +`
	`438`	`+".xssSession(\"" +scriptRequestID +"\",\"" +session.getId() +"\");\r\n");`
	`439`	`+}`
	`440`	`+writer.write("net.sf.j2s.ajax.SimpleRPCRequest" +`
`437`	`441`	`".xssNotify(\"" +scriptRequestID +"\",\"continue\");");`
`438`	`442`	`returnnull;`
`439`	`443`	`}`
`@@ -446,18 +450,16 @@ private String prepareScriptRequest(HttpServletRequest req, HttpServletResponse`
`446`	`450`	`returnbuf.toString();`
`447`	`451`	`}`
`448`	`452`
`449`		`-privatevoidcleanSession(HttpServletRequestreq) {`
`450`		`-HttpSessionses =req.getSession(false);`
`451`		`-if (ses !=null) {// try to clean expired request!`
`452`		`-EnumerationattrNames =ses.getAttributeNames();`
`453`		`-while (attrNames.hasMoreElements()) {`
`454`		`-Stringname = (String)attrNames.nextElement();`
`455`		`-if (name.startsWith("jzt")) {`
`456`		`-Datedt = (Date)ses.getAttribute(name);`
`457`		`-if (newDate().getTime() -dt.getTime() >maxXSSRequestLatency()) {`
`458`		`-ses.removeAttribute(name);`
`459`		`-ses.removeAttribute("jzn" +name.substring(3));`
`460`		`-}`
	`453`	`+privatevoidcleanSession(HttpSessionses) {`
	`454`	`+// try to clean expired request!`
	`455`	`+EnumerationattrNames =ses.getAttributeNames();`
	`456`	`+while (attrNames.hasMoreElements()) {`
	`457`	`+Stringname = (String)attrNames.nextElement();`
	`458`	`+if (name.startsWith("jzt")) {`
	`459`	`+Datedt = (Date)ses.getAttribute(name);`
	`460`	`+if (newDate().getTime() -dt.getTime() >maxXSSRequestLatency()) {`
	`461`	`+ses.removeAttribute(name);`
	`462`	`+ses.removeAttribute("jzn" +name.substring(3));`
`461`	`463`	`}`
`462`	`464`	`}`
`463`	`465`	`}`

`‎sources/net.sf.j2s.ajax/ajaxrpc/net/sf/j2s/ajax/SimpleRPCRequest.java‎`

Lines changed: 68 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -160,6 +160,7 @@ protected static boolean checkXSS(String url, String serialize, SimpleRPCRunnabl`
`160`	`160`	`var ua = navigator.userAgent.toLowerCase ();`
`161`	`161`	`if (ua.indexOf ("msie")!=-1 && ua.indexOf ("opera") == -1){`
`162`	`162`	`limit = 2048;`
	`163`	`+ limit = 2048 - 44; // ;jsessionid=`
`163`	`164`	`}`
`164`	`165`	`limit -= url.length + 36; // 5 + 6 + 5 + 2 + 5 + 2 + 5;`
`165`	`166`	`var contents = [];`
`@@ -186,11 +187,33 @@ protected static boolean checkXSS(String url, String serialize, SimpleRPCRunnabl`
`186`	`187`	`} else {`
`187`	`188`	`contents[0] = content;`
`188`	`189`	`}`
`189`		`- for (var i = 0; i < contents.length; i++) {`
	`190`	`+g.idSet["x" + rnd] = contents;`
	`191`	`+// Only send the first request, later server return "continue", and client will get`
	`192`	`+// the session id and continue later requests.`
	`193`	`+ net.sf.j2s.ajax.SimpleRPCRequest.callByScript(rnd, contents.length, 0, contents[0]);`
	`194`	`+ contents[0] = null;`
	`195`	`+ return true; // cross site script!`
	`196`	`+ }`
	`197`	`+ }`
	`198`	`+ */ { }`
	`199`	`+returnfalse;`
	`200`	`+}`
	`201`	`+`
	`202`	`+staticvoidcallByScript(Stringrnd,Stringlength,Stringi,Stringcontent) {`
	`203`	`+/**`
	`204`	`+ * @j2sNative`
	`205`	`+var g = net.sf.j2s.ajax.SimpleRPCRequest;`
	`206`	`+var runnable = g.idSet["o" + rnd];`
	`207`	`+if (runnable == null) return;`
	`208`	`+var url = runnable.getHttpURL();`
	`209`	`+var session = g.idSet["s" + rnd];`
	`210`	`+if (session != null && window["script.get.session.url"] != false) {`
	`211`	`+url += ";jsessionid=" + session;`
	`212`	`+}`
`190`	`213`	`var script = document.createElement ("SCRIPT");`
`191`	`214`	`script.type = "text/javascript";`
`192`		`- script.src = url + "?jzn=" + rnd + "&jzp=" +contents.length`
`193`		`- + "&jzc=" + (i + 1) + "&jzz=" +contents[i];`
	`215`	`+ script.src = url + "?jzn=" + rnd + "&jzp=" + length`
	`216`	`+ + "&jzc=" + (i + 1) + "&jzz=" +content;`
`194`	`217`	`if (typeof (script.onreadystatechange) == "undefined") { // W3C`
`195`	`218`	`script.onerror = function () {`
`196`	`219`	`this.onerror = null;`
`@@ -223,12 +246,25 @@ protected static boolean checkXSS(String url, String serialize, SimpleRPCRunnabl`
`223`	`246`	`}`
`224`	`247`	`var head = document.getElementsByTagName ("HEAD")[0];`
`225`	`248`	`head.appendChild (script);`
`226`		`- }`
`227`		`- return true; // cross site script!`
`228`		`- }`
`229`		`- }`
`230`		`- */ { }`
`231`		`-returnfalse;`
	`249`	`+ */ {}`
	`250`	`+}`
	`251`	`+`
	`252`	`+staticvoidsendRestRequests(StringnameID) {`
	`253`	`+/**`
	`254`	`+ * The following codes may be modified to send out requests one by one.`
	`255`	`+ * @j2sNative`
	`256`	`+ * var g = net.sf.j2s.ajax.SimpleRPCRequest;`
	`257`	`+ * var xcontent = g.idSet["x" + nameID];`
	`258`	`+ * if (xcontent != null) {`
	`259`	`+ * for (var i = 0; i < xcontent.length; i++) {`
	`260`	`+ * if (xcontent[i] != null) {`
	`261`	`+ * g.callByScript(nameID, xcontent.length, i, xcontent[i]);`
	`262`	`+ * xcontent[i] = null;`
	`263`	`+ * }`
	`264`	`+ * }`
	`265`	`+ * g.idSet["x" + nameID] = null;`
	`266`	`+ * }`
	`267`	`+ */ {}`
`232`	`268`	`}`
`233`	`269`
`234`	`270`	`/**`
`@@ -258,13 +294,27 @@ static void xssNotify(String nameID, String response) {`
`258`	`294`	`}`
`259`	`295`	`}`
`260`	`296`	`*/ { }`
`261`		`-if (response =="continue")return;`
	`297`	`+if (response =="continue") {`
	`298`	`+booleanrestNotEmpty =false;`
	`299`	`+/**`
	`300`	`+ * @j2sNative`
	`301`	`+ * var g = net.sf.j2s.ajax.SimpleRPCRequest;`
	`302`	`+ * if (g.idSet["x" + nameID] != null) {`
	`303`	`+ * restNotEmpty = true;`
	`304`	`+ * }`
	`305`	`+ */ {}`
	`306`	`+if (restNotEmpty)sendRestRequests(nameID);`
	`307`	`+return;`
	`308`	`+}`
`262`	`309`	`SimpleRPCRunnablerunnable =null;`
`263`	`310`	`/**`
`264`	`311`	`* @j2sNative`
`265`	`312`	`var g = net.sf.j2s.ajax.SimpleRPCRequest;`
`266`	`313`	`runnable = g.idSet["o" + nameID];`
`267`	`314`	`g.idSet["o" + nameID] = null;`
	`315`	`+if (g.idSet["s" + nameID] != null) {`
	`316`	`+g.idSet["s" + nameID] = null;`
	`317`	`+}`
`268`	`318`	`if (response == null && runnable != null) { // error!`
`269`	`319`	`runnable.ajaxFail();`
`270`	`320`	`return;`
`@@ -305,4 +355,12 @@ static void xssNotify(String nameID, String response) {`
`305`	`355`	`runnable.ajaxOut();`
`306`	`356`	`}`
`307`	`357`	`}`
	`358`	`+`
	`359`	`+staticvoidxssSession(StringnameID,StringsessionID) {`
	`360`	`+/**`
	`361`	`+ * @j2sNative`
	`362`	`+ var g = net.sf.j2s.ajax.SimpleRPCRequest;`
	`363`	`+ g.idSet["s" + nameID] = sessionID;`
	`364`	`+ */ {}`
	`365`	`+}`
`308`	`366`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf8081a1

File tree

2 files changed

2 files changed

`‎sources/net.sf.j2s.ajax/ajaxrpc/net/sf/j2s/ajax/SimpleRPCHttpServlet.java‎`

`‎sources/net.sf.j2s.ajax/ajaxrpc/net/sf/j2s/ajax/SimpleRPCRequest.java‎`

0 commit comments