SAK-29212

mailsender/api/src/java/org/sakaiproject/mailsender/model/EmailEntry.java

@@ -34,6 +34,7 @@ public class EmailEntry
 	private String content = "";
 	private List<String> attachments = new ArrayList<String>();
 	private ConfigEntry config;
+	private String csrf = null;
 
 	public EmailEntry(ConfigEntry config)
 	{
@@ -102,6 +103,15 @@ public void setContent(String content)
 		}
 	}
 
+	public String getCsrf() {
+		return this.csrf;
+	}
+
+	public void setCsrf (String s) {
+		this.csrf = s;
+	}
+
+
 	public List<String> getAttachments()
 	{
 		return attachments;

mailsender/tool/src/java/org/sakaiproject/mailsender/tool/beans/EmailBean.java

@@ -41,6 +41,7 @@
 import org.sakaiproject.user.api.User;
 import org.sakaiproject.util.StringUtil;
 import org.sakaiproject.util.Web;
+import org.sakaiproject.tool.cover.SessionManager;
 import org.springframework.web.multipart.MultipartFile;
 
 import uk.org.ponder.messageutil.MessageLocator;
@@ -138,6 +139,10 @@ public String sendEmail()
 		ConfigEntry config = emailEntry.getConfig();
 		User curUser = externalLogic.getCurrentUser();
 
+		String csrfToken = SessionManager.getCurrentSession().getAttribute("sakai.csrf.token").toString();
+		if (csrfToken != null && !csrfToken.equals(emailEntry.getCsrf()))
+		    return EMAIL_FAILED;
+
 		String fromEmail = "";
 		String fromDisplay = "";
 		if (curUser != null)
@@ -460,4 +465,5 @@ private String compileRecipientList(Map<String, String> recipients)
 
 		return recipientList.toString();
 	}
+
 }

mailsender/tool/src/java/org/sakaiproject/mailsender/tool/producers/ComposeProducer.java

@@ -24,6 +24,7 @@
 import org.sakaiproject.mailsender.tool.params.UserGroupViewParameters;
 import org.sakaiproject.mailsender.tool.producers.fragments.UserGroupingProducer;
 import org.sakaiproject.user.api.User;
+import org.sakaiproject.tool.cover.SessionManager;
 
 import org.sakaiproject.rsf.producers.FrameAdjustingProducer;
 import uk.org.ponder.rsf.components.UIBoundBoolean;
@@ -174,6 +175,14 @@ public void fillComponents(UIContainer tofill, ViewParameters viewparams,
 			UIBoundBoolean.make(mainForm, "addToArchive", emailBean + ".config.addToArchive");
 		}
 
+		Object sessionToken = SessionManager.getCurrentSession().getAttribute("sakai.csrf.token");
+		// not sure why we can't just use the token as the value in UIInput, but if we do that,
+		// nothing is submitted
+		if (sessionToken != null) {
+		    UIInput.make(mainForm, "csrf", emailBean + ".csrf");
+		    UIOutput.make(mainForm, "csrfvalue", sessionToken.toString());
+		}
+
 		// create buttons for form
 		UICommand.make(mainForm, "send-button", UIMessage.make("send_mail_button"),
 				"emailBean.sendEmail");

mailsender/tool/src/webapp/content/templates/compose.html

@@ -110,6 +110,8 @@ <h3 rsf:id="msg=compose_toolbar" class="insColor insBak insBorder">Compose</h3>
 				<label rsf:id="msg=appendrecipientlist" for="appendRecipientList">Append list of recipients to message</label>
 			</div>
 		</div>
+		<input rsf:id="csrf" type="hidden" name="csrf" id="csrf" />
+		<span rsf:id="csrfvalue" id="csrfvalue" style="display:none"/>
 		<div class="section headervalue">
 			<input rsf:id="send-button" value="Send Mail" class="active" type="submit" />
 			<input rsf:id="cancel-button" value="Cancel" type="submit" />
@@ -119,6 +121,9 @@ <h3 rsf:id="msg=compose_toolbar" class="insColor insBak insBorder">Compose</h3>
 	// a real function call with real values which come from the 
 	// "emitJavascriptCall" method will be placed here by RSF
 	</script>
+	<script type="text/javascript">
+	  $("#csrf").val($("#csrfvalue").text());
+	</script>
 	<div class="cleaner" />
 </div>
 </body>