Bug 51509 - Csrf Prevention Filter's LruCache is not thread save
Summary: Csrf Prevention Filter's LruCache is not thread save
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 6.0.32
Hardware: PC All
: P2 minor (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2011-07-14 14:54 UTC by Ralph
Modified: 2011-08-11 09:15 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Ralph 2011-07-14 14:54:22 UTC
The LruCache (org.apache.catalina.filters.CsrfPreventionFilter$LruCache) use by Csrf Prevention Filter is base on LinkedHashMap.

From the LinkedHashMap Java Doc:
Note that this implementation is not synchronized.
If multiple threads access a linked hash map concurrently, and at least one of the threads modifies the map structurally, it must be synchronized externally. ...

But the LruCache implementation does not synchronize the access to the map.
Comment 1 Mark Thomas 2011-07-19 18:21:59 UTC
Fixed in 7.0.x and will be included in 7.0.20 onwards.

Proposed for 6.0.x.
Comment 2 Mark Thomas 2011-08-11 09:15:16 UTC
The fix has been applied to 6.0.x and will be included in 6.0.33 onwards.