tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Using CsrfPreventionFilter with GET-based <form> submissions
Date Fri, 08 Nov 2019 18:57:42 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

I'm playing with the CsrfPreventionFilter and things are working well
in the following situations:

<a href="url">link text</a>

and

<form method="post" action="url">
...
</form>

As long as the URL has been passed through request.encodeURL().

However, this one is causing me a problem:

<form method="GET" action="url">
...
</form>

This builds a form like this:

<form method="GET"
action="https://host/path?org.apache.catalina.filters.CSRF_NONCE=[...]">
...
</form>

Neither Firefox nor Chrome will send the query string present in a
<form> action attribute if the method="GET". The method must be "POST"
in order for this to be sent. This is due to the HTML standard[1].

Short of changing all <form> methods to "POST", is there any way
around this?

I have read the code for CsrfPreventionFilter and it does not appear
that the nonce if stored anywhere except in the CsrfResponseWrapper
for the request (and the session's nonce cache, but that isn't
request-specific).

Would it be inappropriate to add the CSRF_NONCE to the request
attributes so that application code could use it directly if
necessary? Something like this:

<form method="get" action="url">
  ...
  <input type="hidden" name="org.apache.catalina.filters.CSRF_NONCE"
value="<%= request.getAttribute("CSRF_NONCE") %>" />
</form>

- -chris

[1] https://www.w3.org/TR/html401/interact/forms.html#h-17.13.3.4
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3FuqUACgkQHPApP6U8
pFiRNg/+IIcX8T9/gdui3oGLn3oTWcL2wufs5XN8FUsyYkm9R0Pgj2tzfyHVykF9
Lqr+jYw6wBmNAo/j319+Wcv7YfN/JHSTKOITvPuquQST4pXYOfYVl4SRBXuqJ7bs
gI2hTcyH2eUGSk6mSfjD+F4RQ2uigKQgnTXp1XTmFgEW5An/LPxY6o6ruEJ3RbSW
ceaO9hR4NSBbtB2urT6JsKPAiuZvOy9qELRBoVc54vNLoTqPe2oNUx4AHnq2cRuE
eKhegWlyj+XYVcVDEK0SK1irmgiN6YVc6Cxyy0QD+pEf0SvPwXeRtvS+3Ucjfpnv
nQSZDUbia/lXNktMnCiSl3c/ZEfo2AS9br/dlHbWCu5y8ugngaIHrbFPTU5QLNEP
0mFjvMYCm4QIqu79/qOyPzDReNpWBuqsLNXfJLbhBG6MuCWLhSzHOLQnmoXb2hmg
60vX9/B1/AgZkOv5Uv2EL/AqvyMLH9SnxuR7RVSf4FFoGD8PLpxCGruskb5HoYAr
IVyLxhzvvbE/ViXXGlwXcfuwaS1EgOXhWZqM+rl8wT1MhHnYd/SX5uGRHqjd43gO
fuOphdHNC+G5ErCyYqy4urvxyP9vuhipU43O1eUDQV+rRAdI6m+q26gTgA8U+D7i
LgJ0ZYGj+pzWi7SHyBoKIcA8u1vJrZqBFC6Fa9jlpHgQ/A/1Rtg=
=Ehsd
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message