tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Kreuser <l...@kreuser.name>
Subject Re: Using CsrfPreventionFilter with GET-based <form> submissions
Date Mon, 11 Nov 2019 00:05:44 GMT
´╗┐Chris,

> 
> Am 09.11.2019 um 03:58 schrieb Christopher Schultz <chris@christopherschultz.net>:
> 
> ´╗┐-----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> All,
> 
> I'm playing with the CsrfPreventionFilter and things are working well
> in the following situations:
> 
> <a href="url">link text</a>
> 
> and
> 
> <form method="post" action="url">
> ...
> </form>
> 
> As long as the URL has been passed through request.encodeURL().
> 
> However, this one is causing me a problem:
> 
> <form method="GET" action="url">
> ...
> </form>
> 
> This builds a form like this:
> 
> <form method="GET"
> action="https://host/path?org.apache.catalina.filters.CSRF_NONCE=[...]">
> ...
> </form>
> 
> Neither Firefox nor Chrome will send the query string present in a
> <form> action attribute if the method="GET". The method must be "POST"
> in order for this to be sent. This is due to the HTML standard[1].
> 
> Short of changing all <form> methods to "POST", is there any way
> around this?
> 
> I have read the code for CsrfPreventionFilter and it does not appear
> that the nonce if stored anywhere except in the CsrfResponseWrapper
> for the request (and the session's nonce cache, but that isn't
> request-specific).
> 
> Would it be inappropriate to add the CSRF_NONCE to the request
> attributes so that application code could use it directly if
> necessary? Something like this:
> 
> <form method="get" action="url">
> ...
> <input type="hidden" name="org.apache.catalina.filters.CSRF_NONCE"
> value="<%= request.getAttribute("CSRF_NONCE") %>" />
> </form>

If i remember correctly, this is the way struts handles CSRF Tokens. However there the nonce
comes directly from the session . Not request.

Peter

> - -chris
> 
> [1] https://www.w3.org/TR/html401/interact/forms.html#h-17.13.3.4
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> 
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3FuqUACgkQHPApP6U8
> pFiRNg/+IIcX8T9/gdui3oGLn3oTWcL2wufs5XN8FUsyYkm9R0Pgj2tzfyHVykF9
> Lqr+jYw6wBmNAo/j319+Wcv7YfN/JHSTKOITvPuquQST4pXYOfYVl4SRBXuqJ7bs
> gI2hTcyH2eUGSk6mSfjD+F4RQ2uigKQgnTXp1XTmFgEW5An/LPxY6o6ruEJ3RbSW
> ceaO9hR4NSBbtB2urT6JsKPAiuZvOy9qELRBoVc54vNLoTqPe2oNUx4AHnq2cRuE
> eKhegWlyj+XYVcVDEK0SK1irmgiN6YVc6Cxyy0QD+pEf0SvPwXeRtvS+3Ucjfpnv
> nQSZDUbia/lXNktMnCiSl3c/ZEfo2AS9br/dlHbWCu5y8ugngaIHrbFPTU5QLNEP
> 0mFjvMYCm4QIqu79/qOyPzDReNpWBuqsLNXfJLbhBG6MuCWLhSzHOLQnmoXb2hmg
> 60vX9/B1/AgZkOv5Uv2EL/AqvyMLH9SnxuR7RVSf4FFoGD8PLpxCGruskb5HoYAr
> IVyLxhzvvbE/ViXXGlwXcfuwaS1EgOXhWZqM+rl8wT1MhHnYd/SX5uGRHqjd43gO
> fuOphdHNC+G5ErCyYqy4urvxyP9vuhipU43O1eUDQV+rRAdI6m+q26gTgA8U+D7i
> LgJ0ZYGj+pzWi7SHyBoKIcA8u1vJrZqBFC6Fa9jlpHgQ/A/1Rtg=
> =Ehsd
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message