ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437896682
##########
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##########
@@ -110,45 +285,70 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
HttpSession session = req.getSession(false);
+ String requestedPath = getRequestedPath(req);
boolean skipNonceCheck = skipNonceCheck(req);
NonceCache<String> nonceCache = null;
if (!skipNonceCheck) {
String previousNonce =
req.getParameter(nonceRequestParameterName);
if (previousNonce == null) {
- if (log.isDebugEnabled()) {
- log.debug("Rejecting request for " +
getRequestedPath(req) + ", session " +
- (null == session ? "(none)" : session.getId())
+
- " with no CSRF nonce found in request");
- }
-
- res.sendError(getDenyStatus());
- return;
- }
+ if (enforce(req, requestedPath)) {
+ if (log.isDebugEnabled()) {
+ log.debug("Rejecting request for " +
getRequestedPath(req) + ", session " +
Review Comment:
If you really think it needs it. I don't find the control-flow difficult to
follow, here, with the log messages in there. I think further obfuscating the
log messages will just generate more code.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
