SF patch #1584035 Prevent sploggers from using feedback page

git-svn-id: http://scm.dspace.org/svn/repo/trunk@1653 9c30dcfa-912a-0410-8fc2-9e0234be79fd
2025-10-07 01:54:22 +00:00 · 2006-11-02 20:04:01 +00:00
parent 7225e8a8ca
commit 850aac3403
2 changed files with 24 additions and 2 deletions
--- a/dspace/CHANGES
+++ b/dspace/CHANGES
@@ -38,6 +38,7 @@
 - SF patch #1544124 Remove admin email from contact info
 - SF patch #1533133 Remove thumbnail filename from alt-text
 - SF patch #1533114 Item title in HTML <title>
+- SF patch #1584035 Prevent sploggers from using feedback page

 (Jeroen Ruigrok)
 - SF patch #1549758 Make sure cleanup() doesn't fail with NullPointerException
--- a/dspace/src/org/dspace/app/webui/servlet/FeedbackServlet.java
+++ b/dspace/src/org/dspace/app/webui/servlet/FeedbackServlet.java
@@ -40,6 +40,7 @@
 package org.dspace.app.webui.servlet;

 import java.io.IOException;
+import java.net.InetAddress;
 import java.sql.SQLException;
 import java.util.Date;

@@ -59,7 +60,7 @@ import org.dspace.eperson.EPerson;

 /**
 * Servlet for handling user feedback
- * 
+ *
 * @author Peter Breton
 * @author Robert Tansley
 * @version $Revision$
@@ -75,7 +76,27 @@ public class FeedbackServlet extends DSpaceServlet
    {
        // Obtain information from request
        // The page where the user came from
-        String fromPage = request.getParameter("fromPage");
+        String fromPage = request.getHeader("Referer");
+
+        // Prevent spammers and splogbots from poisoning the feedback page
+        String host = ConfigurationManager.getProperty("dspace.hostname");
+
+        String basicHost = "";
+        if (host.equals("localhost") || host.equals("127.0.0.1")
+        		|| host.equals(InetAddress.getLocalHost().getHostAddress()))
+            basicHost = host;
+        else
+        {
+            // cut off all but the hostname, to cover cases where more than one URL
+            // arrives at the installation; e.g. presence or absence of "www"
+            int lastDot = host.lastIndexOf(".");
+            basicHost = host.substring(host.substring(0, lastDot).lastIndexOf("."));
+        }
+
+        if (fromPage == null || fromPage.indexOf(basicHost) == -1)
+        {
+            throw new AuthorizeException();
+        }

        // The email address they provided
        String formEmail = request.getParameter("email");