From dev-return-10154-archive-asf-public=cust-asf.ponee.io@chemistry.apache.org Fri Sep 28 17:47:21 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id EBE62180627 for ; Fri, 28 Sep 2018 17:47:20 +0200 (CEST) Received: (qmail 63192 invoked by uid 500); 28 Sep 2018 15:47:20 -0000 Mailing-List: contact dev-help@chemistry.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@chemistry.apache.org Delivered-To: mailing list dev@chemistry.apache.org Received: (qmail 63180 invoked by uid 99); 28 Sep 2018 15:47:20 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Sep 2018 15:47:20 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 9DA941A10C3 for ; Fri, 28 Sep 2018 15:47:19 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.272 X-Spam-Level: X-Spam-Status: No, score=0.272 tagged_above=-999 required=6.31 tests=[RCVD_IN_DNSWL_LOW=-0.7, SPF_SOFTFAIL=0.972] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id FaiCLWwqjTkl for ; Fri, 28 Sep 2018 15:47:18 +0000 (UTC) Received: from plasma31.jpberlin.de (plasma31.jpberlin.de [80.241.56.82]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 386345F180 for ; Fri, 28 Sep 2018 15:47:18 +0000 (UTC) Received: from hefe.heinlein-support.de (hefe.heinlein-support.de [91.198.250.172]) by plasma.jpberlin.de (Postfix) with ESMTP id CFA14100ED3; Fri, 28 Sep 2018 17:47:12 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from plasma.jpberlin.de ([80.241.56.76]) by hefe.heinlein-support.de (hefe.heinlein-support.de [91.198.250.172]) (amavisd-new, port 10030) with ESMTP id AAGkSJfLMM6i; Fri, 28 Sep 2018 17:47:11 +0200 (CEST) Received: from webmail.jpberlin.de (sinatra9.heinlein-hosting.de [80.241.56.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: fmui-mailbox@gotux.de) by plasma.jpberlin.de (Postfix) with ESMTPSA id A6985100EDE; Fri, 28 Sep 2018 17:47:11 +0200 (CEST) Received: from YhbwrUntUc3GB7h2voQUAnHG8QobNL/0 by webmail.jpberlin.de with HTTP (HTTP/1.1 POST); Fri, 28 Sep 2018 17:47:11 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Fri, 28 Sep 2018 17:47:11 +0200 From: =?UTF-8?Q?Florian_M=C3=BCller?= To: dev@chemistry.apache.org Cc: Florent Guillaume Subject: Re: CSRF check on content GET In-Reply-To: References: Message-ID: <8aaa329f1bb2ec81df63e62c27176e6c@apache.org> X-Sender: fmui@apache.org User-Agent: RoundCube Webmail Hi Florent, I have to admit that I can't recall right know why there is a CSRF check. But the fact that I spent the effort implementing it, makes me believe that there was a good enough reason. I'll keep thinking about it... - Florian > Hi Florian, > > Could you explain the reasoning behind the fact that CsrfManager#check > verifies the token in the request parameter if this is a GET content > request? > > I don't see the point in doing any CSRF check for a GET... In other > words, > I don't see an attack model that would make this necessary. > > Thanks, > Florent