On 16/11/2012 20:29, André Warnier wrote:
> Ok, so let's back up a little.
>
> The OP wrote :
>
> .."This filter expects that we call
> HttpServletResponse#encodeRedirectURL(String) or
> HttpServletResponse#encodeURL(String).
> I see that in my application we don't use the above mentioned methods."
> ..
>
> To which I answered :
>
> .. "if your [sic, apologies] are not using
> HttpServletResponse#encodeRedirectURL(String) or
> HttpServletResponse#encodeURL(String) in your application, then this
> filter would be unnecessary"..
>
> Notice the "if (condition) then { statement }" expression.
I did.
> Did this contain any implication of the OP's application not being
> susceptible to CSRF attacks if he is not using these calls ?
Yes. You used the word "unnecessary" (i.e. the filter is not required;
there is no need to use the filter in this case) when what you meant was
"useless" (the filter won't work).
The use of "unnecessary" implied that the use of the filter was only
necessary when using encodeRedirectURL() or encodeURL(). That in turn
implies that CSRF only happens if encodeRedirectURL() or encodeURL() is
used. That is what I responded to as wrong.
What you were trying to say was something along the lines of:
"If your application doesn't use encodeRedirectURL() or encodeURL() then
the CSRF prevention filter isn't going to be able to help you as the
correct operation of that filter requires that those methods are used."
> Was my response incorrect ?
Yes.
> Or was the "Wrong." sentence maybe a bit hasty ?
No.
> English is not my native language either, but on this list I strive to
> express myself in it, in a logically and syntactically correct fashion.
+1. As a native English speaker who struggles with foreign languages I
am constantly in awe of those who are fluent in multiple languages such
as yourself, as I know how hard I would have to work to get remotely
close to that skill level. But we all make mistakes - me included (most
of the evidence for that is in the archive of the dev list). In this
case the choice of the word "unnecessary" was not the best choice as the
primary meaning of the word is not what you intended.
> I also suggested to the attention of the OP the tips provided on the
> same Wikipedia page, to make CSRF attacks more difficult. This would
> also seem to deny the implication that I ever intended to tell the OP
> that his application was not susceptible to CSRF attacks. (*)
You did, but after suggesting that their application may not be
vulnerable to CRSF (see above) and querying why they thought that it
was. That reinforces the idea that CSRF protection is not required.
The tips on Wikipedia are definitely worth the OP reading. I'd also
recommend the OWASP materials on this topic (and web application
security in general). They have a number of tools that can help
including, if I recall correctly, a CSRF protection filter that is more
powerful than the Tomcat one.
> Also, the site is likely to be broken for user agents that do not
>> support cookies.
>
> Point taken, but that was not the question.
Indeed. That was meant as a useful aside for folks reading this in the
archives.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
