From 8941d96a993592f47580d0f5df6a6b0aff8847ae Mon Sep 17 00:00:00 2001
From: Scott Battaglia <scott.battaglia@gmail.com>
Date: Tue, 21 Jun 2011 01:39:49 +0000
Subject: [PATCH] CASC-147

ignore logout requests for multipart forms
---
 .../client/session/SingleSignOutHandler.java  |  6 ++-
 .../session/SingleSignoutHandlerTests.java    | 49 +++++++++++++++++++
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignoutHandlerTests.java

diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java
index c389ce8..f03c197 100644
--- a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java
@@ -100,7 +100,7 @@ public final class SingleSignOutHandler {
      * @return True if request is logout request, false otherwise.
      */
     public boolean isLogoutRequest(final HttpServletRequest request) {
-        return "POST".equals(request.getMethod()) &&
+        return "POST".equals(request.getMethod()) && !isMultipartRequest(request) &&
             CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName));
     }
 
@@ -155,4 +155,8 @@ public final class SingleSignOutHandler {
             }
         }
     }
+
+    private boolean isMultipartRequest(final HttpServletRequest request) {
+        return request.getContentType() != null && request.getContentType().toLowerCase().startsWith("multipart");
+    }
 }
diff --git a/cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignoutHandlerTests.java b/cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignoutHandlerTests.java
new file mode 100644
index 0000000..51b9d75
--- /dev/null
+++ b/cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignoutHandlerTests.java
@@ -0,0 +1,49 @@
+package org.jasig.cas.client.session;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+
+import static org.junit.Assert.*;
+
+/**
+ * @author Matt Brown <matt.brown@citrix.com>
+ * @version $Revision$ $Date$
+ * @since 3.2.1
+ */
+public final class SingleSignoutHandlerTests {
+
+    private SingleSignOutHandler handler;
+    private MockHttpServletRequest request;
+    private final static String logoutParameterName = "logoutRequest";
+
+    @Before
+    public void setUp() throws Exception {
+        handler = new SingleSignOutHandler();
+        handler.setLogoutParameterName(logoutParameterName);
+        request = new MockHttpServletRequest();
+    }
+
+    @Test
+    public void isLogoutRequest() throws Exception {
+        request.setParameter(logoutParameterName, "true");
+        request.setMethod("POST");
+
+        assertTrue(handler.isLogoutRequest(request));
+    }
+
+    /**
+     * Tests that a multipart request is not considered logoutRequest. Verifies issue CASC-147.
+     *
+     * @throws Exception
+     */
+    @Test
+    public void isLogoutRequestMultipart() throws Exception {
+        request.setParameter(logoutParameterName, "true");
+        request.setMethod("POST");
+        request.setContentType("multipart/form-data");
+
+        assertFalse(handler.isLogoutRequest(request));
+    }
+
+}