tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Using CsrfPreventionFilter with GET-based <form> submissions
Date Tue, 12 Nov 2019 17:35:05 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Peter,

On 11/10/19 19:05, Peter Kreuser wrote:
> Chris,
> 
>> 
>> Am 09.11.2019 um 03:58 schrieb Christopher Schultz
>> <chris@christopherschultz.net>:
>> 
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>> 
>> All,
>> 
>> I'm playing with the CsrfPreventionFilter and things are working
>> well in the following situations:
>> 
>> <a href="url">link text</a>
>> 
>> and
>> 
>> <form method="post" action="url"> ... </form>
>> 
>> As long as the URL has been passed through request.encodeURL().
>> 
>> However, this one is causing me a problem:
>> 
>> <form method="GET" action="url"> ... </form>
>> 
>> This builds a form like this:
>> 
>> <form method="GET" 
>> action="https://host/path?org.apache.catalina.filters.CSRF_NONCE=[...
]">
>>
>> 
...
>> </form>
>> 
>> Neither Firefox nor Chrome will send the query string present in
>> a <form> action attribute if the method="GET". The method must be
>> "POST" in order for this to be sent. This is due to the HTML
>> standard[1].
>> 
>> Short of changing all <form> methods to "POST", is there any way 
>> around this?
>> 
>> I have read the code for CsrfPreventionFilter and it does not
>> appear that the nonce if stored anywhere except in the
>> CsrfResponseWrapper for the request (and the session's nonce
>> cache, but that isn't request-specific).
>> 
>> Would it be inappropriate to add the CSRF_NONCE to the request 
>> attributes so that application code could use it directly if 
>> necessary? Something like this:
>> 
>> <form method="get" action="url"> ... <input type="hidden"
>> name="org.apache.catalina.filters.CSRF_NONCE" value="<%=
>> request.getAttribute("CSRF_NONCE") %>" /> </form>
> 
> If i remember correctly, this is the way struts handles CSRF
> Tokens.

I'm not sure what Struts has to do with this. I'm using Tomcat's CSRF
filter which apparently cannot work with GET-based forms. I'm not
saying that a GET-based form is a good idea, but we have a bunch of
them so I'm looking into how they can be effectively used with this
implementation of a CSRF filter.

I'm really surprised this hasn't come up, yet. Maybe nobody actually
implements CSRF protection, or maybe nobody uses Tomcat's filter to do
it, or maybe nobody uses GET-based HTML <form>s. But I can't believe
that I'm the only person in the world who is trying to use all three
at once.

> However there the nonce comes directly from the session . Not 
> request.

The nonces are stored in the session, otherwise this wouldn't work.
But each request generates a new nonce, and that one would be the
"request's nonce".

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3K7UkACgkQHPApP6U8
pFhZBRAAkrD4pr+agtuxblW/UA8ylVm6pceqTmlz8ki39I7k7T5fjgm+Yg1mjG9R
VgQNI/v0y94rQ3cCjIerUxTTNHTzgHUi2uRk9sSsnTsRXC4W+8wdRSojDSq9j1AB
z4ZQI3t5Z8+e9RWBDrYOd2TkvW93aGiMzOpcnashvJkhUSDR5102RJtvoz1yAK7r
Rwzv8feSJRy3/rxjiqQvHYdBH9DeRXVGH0CTP6KZ/+e/icFw0nnH3e+Jrh3+k5du
fIUi/97JPT0hxkkJbNkKsOJ3P/D4kqzKnbo6WqFr4UwYMCiJizNNTuu+3pG6LAjn
qTow+EL6/sG3Dtt/VCexyhC7jXdGjcrMDpxcXZx6NwiFxppK2kGWVMi7zKz4qm3X
ZLR1zSsfzRhUnVPmdjYUAtDonhCbWW+FdQmBtGhGhH7+3wOeXrGpBeWcAq7jjGoD
rgKQJMKUEN0PMH8j63tgp86Te6zhJCG23/ttBqFTLvP6XWbfHn6KoMFrwSMz8Spz
EyFDBJihspuFncOMjEJ5kPLmJzs2x811VVkMOBA3BPqIrN2qteTIja9+t3ismo4+
iBf0sV0q74HL24wvyAfONArae52vFmg4wJLiN38tztNLdoblJpTjqRs04gQ+Q0+5
u4KKouD6Oz37Zo1Z7IS/HezmfGwYRrZn96CgPzfam4ZQp4Hldi8=
=mYsp
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message