BigBlueButton/bigbluebutton-Github
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added null validation to the querystring in the checksum calculation

Browse Source
This commit is contained in:
Jesus Federico 2015-06-08 10:23:56 -04:00
parent b34bc5dbb4
commit bb95ec52e8
1 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
bigbluebutton-web/src/java/org/bigbluebutton/api/ParamsProcessorUtil.java
View File

@ -542,18 +542,22 @@ public class ParamsProcessorUtil {
public boolean isChecksumSame(String apiCall, String checksum, String queryString) {
log.debug("checksum: [{}] ; query string: [{}]", checksum, queryString);
if (StringUtils.isEmpty(securitySalt)) {
log.warn("Security is disabled in this service. Make sure this is intentional.");
return true;
}
// handle either checksum as first or middle / end parameter
// TODO: this is hackish - should be done better
queryString = queryString.replace("&checksum=" + checksum, "");
queryString = queryString.replace("checksum=" + checksum + "&", "");
queryString = queryString.replace("checksum=" + checksum, "");
if( queryString == null ) {
queryString = "";
} else {
// handle either checksum as first or middle / end parameter
// TODO: this is hackish - should be done better
queryString = queryString.replace("&checksum=" + checksum, "");
queryString = queryString.replace("checksum=" + checksum + "&", "");
queryString = queryString.replace("checksum=" + checksum, "");
}
log.debug("query string after checksum removed: [{}]", queryString);
String cs = DigestUtils.shaHex(apiCall + queryString + securitySalt);
log.debug("our checksum: [{}], client: [{}]", cs, checksum);