Created
October 20, 2015 06:20
-
-
Save baraths84/92252cf4a19d80a35b39 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public void doPost (HttpServletRequest request, HttpServletResponse response) | |
throws ServletException, IOException | |
{ | |
//Setting IpAddress To Log and taking header for original IP if forwarded from proxy | |
ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); | |
//Translation Stuff | |
Locale locale = new Locale(Validate.validateLanguage(request.getSession())); | |
ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); | |
ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.directObject", locale); | |
//Attempting to recover username of session that made request | |
HttpSession ses = request.getSession(true); | |
PrintWriter out = response.getWriter(); | |
out.print(getServletInfo()); | |
if(Validate.validateSession(ses)) | |
{ | |
ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); | |
log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); | |
try | |
{ | |
String userName = request.getParameter("username"); | |
log.debug("User Submitted - " + userName); | |
String ApplicationRoot = getServletContext().getRealPath(""); | |
log.debug("Servlet root = " + ApplicationRoot ); | |
String htmlOutput = new String(); | |
if(userName.equalsIgnoreCase("guest")) | |
{ | |
log.debug("Guest Profile Found"); | |
htmlOutput = htmlGuest(bundle); | |
} | |
else if(userName.equalsIgnoreCase("admin")) | |
{ | |
// Get key and add it to the output | |
String userKey = Hash.generateUserSolution(levelResult, (String)ses.getAttribute("userName")); | |
log.debug("Admin Profile Found"); | |
htmlOutput = htmlAdmin(bundle, userKey); | |
} | |
else | |
{ | |
log.debug("No Profile Found"); | |
Encoder encoder = ESAPI.encoder(); | |
htmlOutput = "<h2 class='title'>" + bundle.getString("response.user") + ": " + bundle.getString("response.notFound") + "</h2><p>" + bundle.getString("response.user") + " '" + encoder.encodeForHTML(userName) + "' " + bundle.getString("response.couldNotFind") + ".</p>"; | |
} | |
log.debug("Outputting HTML"); | |
out.write(htmlOutput); | |
} | |
catch(Exception e) | |
{ | |
out.write(errors.getString("error.funky")); | |
log.fatal("Insecure Direct Object Lesson Lesson - " + e.toString()); | |
} | |
} | |
else | |
{ | |
out.write(errors.getString("error.noSession")); | |
log.error(levelName + " servlet accessed with no session"); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment