Fix to handle null csrfToken in session

CityOfNewYork · Oct 10, 2018 · b274b92 · b274b92
1 parent c573c55
commit b274b92
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/dspace-api/src/main/java/org/dspace/app/util/Util.java b/dspace-api/src/main/java/org/dspace/app/util/Util.java
@@ -559,8 +559,12 @@ public static void validateCsrf(HttpServletRequest request) throws AuthorizeExce
         HttpSession session = request.getSession();
         String storedToken = (String) session.getAttribute("csrfToken");
         String formToken = request.getParameter("csrf_token");
-        if (!storedToken.equals(formToken)) {
-            throw new AuthorizeException("CSRF Token is Invalid");
+        if (storedToken == null) {
+            throw new AuthorizeException("CSRF Token cannot be null");
+        } else {
+            if (!storedToken.equals(formToken)) {
+                throw new AuthorizeException("CSRF Token is Invalid");
+            }
         }
     }
 }