[jira] [Work logged] (WW-5083) Fetch Metadata support

Mon, 03 Aug 2020 00:45:03 -0700 


     [ 
https://issues.apache.org/jira/browse/WW-5083?focusedWorklogId=465576&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-465576
 ]

ASF GitHub Bot logged work on WW-5083:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 03/Aug/20 07:43
            Start Date: 03/Aug/20 07:43
    Worklog Time Spent: 10m 
      Work Description: salcho commented on a change in pull request #428:
URL: https://github.com/apache/struts/pull/428#discussion_r464245596



##########
File path: 
core/src/main/java/org/apache/struts2/interceptor/FetchMetadataInterceptor.java
##########
@@ -73,15 +76,31 @@ public String intercept(ActionInvocation invocation) throws 
Exception {
             return invocation.invoke();
         }
 
-        logger.atDebug().log(
-            "Fetch metadata rejected cross-origin request to %s",
-            contextPath
-        );
+        LOG.debug("Fetch metadata rejected cross-origin request to [{}]", 
contextPath);

Review comment:
       Hi,
   
   I think you guys know better what log level is more appropriate for Struts 
devs. What I can tell you is that this code is not expected to reject many 
requests under normal circumstances, as every time this happens an endpoint is 
being fetched cross-origin, which indicates a potential CSRF attack more often 
than not and developers are expected to add endpoints that are exposed 
cross-origin to the exemption list. 
   
   That is to say: we wouldn't really expect this log statement to be hit to 
the point of flooding the logs.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 465576)
    Time Spent: 4h 20m  (was: 4h 10m)

> Fetch Metadata support
> ----------------------
>
>                 Key: WW-5083
>                 URL: https://issues.apache.org/jira/browse/WW-5083
>             Project: Struts 2
>          Issue Type: New Feature
>          Components: Core Interceptors
>            Reporter: Santiago Diaz
>            Priority: Major
>             Fix For: 2.6
>
>          Time Spent: 4h 20m
>  Remaining Estimate: 0h
>
> We'd like to add built-in Fetch Metadata support to Struts2 to provide a 
> simple security mechanism that developers can use to protect against 
> Cross-Site Request Forgery vulnerabilities



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to