From b274b920680da9281900ee5b8a588cd6aadadb4c Mon Sep 17 00:00:00 2001
From: Gary Zhou <gzhou@records.nyc.gov>
Date: Wed, 10 Oct 2018 17:01:33 -0400
Subject: [PATCH] Fix to handle null csrfToken in session

---
 dspace-api/src/main/java/org/dspace/app/util/Util.java | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/dspace-api/src/main/java/org/dspace/app/util/Util.java b/dspace-api/src/main/java/org/dspace/app/util/Util.java
index 1c212e059602..38a7deee9e81 100644
--- a/dspace-api/src/main/java/org/dspace/app/util/Util.java
+++ b/dspace-api/src/main/java/org/dspace/app/util/Util.java
@@ -559,8 +559,12 @@ public static void validateCsrf(HttpServletRequest request) throws AuthorizeExce
         HttpSession session = request.getSession();
         String storedToken = (String) session.getAttribute("csrfToken");
         String formToken = request.getParameter("csrf_token");
-        if (!storedToken.equals(formToken)) {
-            throw new AuthorizeException("CSRF Token is Invalid");
+        if (storedToken == null) {
+            throw new AuthorizeException("CSRF Token cannot be null");
+        } else {
+            if (!storedToken.equals(formToken)) {
+                throw new AuthorizeException("CSRF Token is Invalid");
+            }
         }
     }
 }