isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1435945537
##########
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##########
@@ -110,45 +285,70 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
HttpSession session = req.getSession(false);
+ String requestedPath = getRequestedPath(req);
boolean skipNonceCheck = skipNonceCheck(req);
NonceCache<String> nonceCache = null;
if (!skipNonceCheck) {
String previousNonce =
req.getParameter(nonceRequestParameterName);
if (previousNonce == null) {
- if (log.isDebugEnabled()) {
- log.debug("Rejecting request for " +
getRequestedPath(req) + ", session " +
- (null == session ? "(none)" : session.getId())
+
- " with no CSRF nonce found in request");
- }
-
- res.sendError(getDenyStatus());
- return;
- }
+ if (enforce(req, requestedPath)) {
+ if (log.isDebugEnabled()) {
+ log.debug("Rejecting request for " +
getRequestedPath(req) + ", session " +
Review Comment:
Looks like quite a few repetitions of log.debug blocks with very similar
content. Might be a good opportunity for a private function?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
