Chris, > > Am 09.11.2019 um 03:58 schrieb Christopher Schultz > <ch...@christopherschultz.net>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > All, > > I'm playing with the CsrfPreventionFilter and things are working well > in the following situations: > > <a href="url">link text</a> > > and > > <form method="post" action="url"> > ... > </form> > > As long as the URL has been passed through request.encodeURL(). > > However, this one is causing me a problem: > > <form method="GET" action="url"> > ... > </form> > > This builds a form like this: > > <form method="GET" > action="https://host/path?org.apache.catalina.filters.CSRF_NONCE=[...]";> > ... > </form> > > Neither Firefox nor Chrome will send the query string present in a > <form> action attribute if the method="GET". The method must be "POST" > in order for this to be sent. This is due to the HTML standard[1]. > > Short of changing all <form> methods to "POST", is there any way > around this? > > I have read the code for CsrfPreventionFilter and it does not appear > that the nonce if stored anywhere except in the CsrfResponseWrapper > for the request (and the session's nonce cache, but that isn't > request-specific). > > Would it be inappropriate to add the CSRF_NONCE to the request > attributes so that application code could use it directly if > necessary? Something like this: > > <form method="get" action="url"> > ... > <input type="hidden" name="org.apache.catalina.filters.CSRF_NONCE" > value="<%= request.getAttribute("CSRF_NONCE") %>" /> > </form>
If i remember correctly, this is the way struts handles CSRF Tokens. However there the nonce comes directly from the session . Not request. Peter > - -chris > > [1] https://www.w3.org/TR/html401/interact/forms.html#h-17.13.3.4 > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3FuqUACgkQHPApP6U8 > pFiRNg/+IIcX8T9/gdui3oGLn3oTWcL2wufs5XN8FUsyYkm9R0Pgj2tzfyHVykF9 > Lqr+jYw6wBmNAo/j319+Wcv7YfN/JHSTKOITvPuquQST4pXYOfYVl4SRBXuqJ7bs > gI2hTcyH2eUGSk6mSfjD+F4RQ2uigKQgnTXp1XTmFgEW5An/LPxY6o6ruEJ3RbSW > ceaO9hR4NSBbtB2urT6JsKPAiuZvOy9qELRBoVc54vNLoTqPe2oNUx4AHnq2cRuE > eKhegWlyj+XYVcVDEK0SK1irmgiN6YVc6Cxyy0QD+pEf0SvPwXeRtvS+3Ucjfpnv > nQSZDUbia/lXNktMnCiSl3c/ZEfo2AS9br/dlHbWCu5y8ugngaIHrbFPTU5QLNEP > 0mFjvMYCm4QIqu79/qOyPzDReNpWBuqsLNXfJLbhBG6MuCWLhSzHOLQnmoXb2hmg > 60vX9/B1/AgZkOv5Uv2EL/AqvyMLH9SnxuR7RVSf4FFoGD8PLpxCGruskb5HoYAr > IVyLxhzvvbE/ViXXGlwXcfuwaS1EgOXhWZqM+rl8wT1MhHnYd/SX5uGRHqjd43gO > fuOphdHNC+G5ErCyYqy4urvxyP9vuhipU43O1eUDQV+rRAdI6m+q26gTgA8U+D7i > LgJ0ZYGj+pzWi7SHyBoKIcA8u1vJrZqBFC6Fa9jlpHgQ/A/1Rtg= > =Ehsd > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
