From users-return-268722-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Fri Nov 8 18:57:58 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id AD813180638 for ; Fri, 8 Nov 2019 19:57:57 +0100 (CET) Received: (qmail 29534 invoked by uid 500); 8 Nov 2019 18:57:53 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 29523 invoked by uid 99); 8 Nov 2019 18:57:53 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Nov 2019 18:57:53 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id C45D0C05CC for ; Fri, 8 Nov 2019 18:57:52 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.002 X-Spam-Level: X-Spam-Status: No, score=0.002 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, KAM_SHORT=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=christopherschultz-net.20150623.gappssmtp.com Received: from mx1-ec2-va.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id 8VyxzRGDA7EB for ; Fri, 8 Nov 2019 18:57:51 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.161.47; helo=mail-yw1-f47.google.com; envelope-from=chris@christopherschultz.net; receiver= Received: from mail-yw1-f47.google.com (mail-yw1-f47.google.com [209.85.161.47]) by mx1-ec2-va.apache.org (ASF Mail Server at mx1-ec2-va.apache.org) with ESMTPS id 0D6E1BC55E for ; Fri, 8 Nov 2019 18:57:50 +0000 (UTC) Received: by mail-yw1-f47.google.com with SMTP id p128so2531322ywc.11 for ; Fri, 08 Nov 2019 10:57:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=christopherschultz-net.20150623.gappssmtp.com; s=20150623; h=to:from:openpgp:autocrypt:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=X6BvMFHWd0LqeBDz55lmRYGY7hJPjh4+pjC0Tr6pWq8=; b=rQHAHr6rnaYv8hmYxpcSb473coVFtrj2xPZNOLXm+leotYQM25UsyezVTxSdoRAwWa 5TNoAKNeQ3cgugmb5Ri09G/oKDL8kUB5W/F9C7xFSu9O6dEDWVSNOowkodWzv7FXlw+r iXScXHQ9NSQvSJe+wn6BaTDFfYtugIIKjZMUI28zQoM4toU9LayLnhCwUouPzNr5u9I6 afT2w0qQJ8Nmg8VOQ6LksPT4RUvPsnuPOdDUfQ3V9+xKUMbBNrS/SRnbUVDyyquUDUED x15UDQIX+JUsvKH+FbOiNkYjAFu9fovg4rpXf3bJTW80/8UPmObgHFMgNS8MxlHc+owk wBAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:openpgp:autocrypt:subject:message-id :date:user-agent:mime-version:content-language :content-transfer-encoding; bh=X6BvMFHWd0LqeBDz55lmRYGY7hJPjh4+pjC0Tr6pWq8=; b=EA7Vx/ql9tswyC7T5h8Dc1cmkrWmhWDGqUY2wz3cjPHTU6fMecEMIylNNiDmvSF9ZX RQFkG6GgLNn/0ITNZtyyT2nunhWS/N1iTGneNlIsWSi4KC6ieksdkZPsowc6LSvwbT34 ImSbX2joRTvsfJNmmvt8On/yCVXutspxy4h0mhV+cHcGJOBE4itEQt6TusJWpIBl3ijb cqN9R8VSWo/Xx0xKb8MgrJNKnwRErQs6tnyarDwmJtBSq120DDv4Q2v8G8GCuoB2XG2E /2fuEMtErB0ub89vlpib+yLdDf23KLx3Bx8caZJOOR4WZ5yEGzwNWESHgQbaV5jmItE0 NWMA== X-Gm-Message-State: APjAAAW4aVzv45brQEAYqSOuOnQOWuoX+iwZhh15BK8pLf20lMUf+xp6 3UL/oNkL+R4M3CLlfCtLGxWqn/90Nq4= X-Google-Smtp-Source: APXvYqxCkqpMpeiTdL+puPpOGB4oD+tb8aBhHDb7eAPEZWssS88YmykWKkF/iGwcCeBAOtvEgpXUgg== X-Received: by 2002:a0d:c1c1:: with SMTP id c184mr8201878ywd.415.1573239464074; Fri, 08 Nov 2019 10:57:44 -0800 (PST) Received: from Christophers-MacBook-Pro-2.local (pool-108-48-175-111.washdc.fios.verizon.net. [108.48.175.111]) by smtp.gmail.com with ESMTPSA id f66sm2859470ywf.110.2019.11.08.10.57.43 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 Nov 2019 10:57:43 -0800 (PST) To: Tomcat Users List From: Christopher Schultz Openpgp: preference=signencrypt Autocrypt: addr=chris@christopherschultz.net; keydata= xsFNBE+pgz4BEADd7qAWgqXcNltlB3aow0UneRmNSVjHKgekgs0ZXxG9l50Athksr/3bL/yg bxFB00JcM9W+UxLhKHiMSyzfeBHn9l9wAlLFKs0S91KXTUnRwGFtvgstvGROoqPgTVREklnm yW/KpzOwqSrQ5xHcogaT+XWlXmRbtFypi52Z5HGWlFWWgwx0vKBWHmQayPtCif0v1RDxfdV9 zziodn0TnpfBQsEgf9TDAjkNT8f0ecwTnhSihTDm1W5HCK7Pm5DfUtree1Oh6Ncz2ljlUO0b 3Lai9pX48eZOj7WQXPefkcv2AoUvdELkQKw3klM5YNXbXPf1KAjky+q4DQ1ydD6LkK+9cI3S TeMesTlk/tytOsaN2NH2k87sEpcumbH0AcmPFEnIYUfm4KzWdKlYA6mbV3Pk3tHSuayyJovj h/7Y7BG9p2l7D60r49hzrTPG8VxNkSliNLcSjI3QjYpfhSlqmqXyVKzdzirK1HPr1xfJStig RpLP9nWarZjoXng9N0etGwtH/8roeDPYA8x9ba1KXy/1g/i+RLx2ms+rueCpnFZxU3GZNUSp RfpdUbwCN3Zm1w5Z6SI8X2aSnWWeYzU6HMsV+P4PROnFsgxDeOpyWhyEaaVLXQtOYwcHneHb n56vSG50TkAuHs5kk/3/YDPSsqjsUPOuhKgFMh3iqMTh5DMdSwARAQABzTJDaHJpc3RvcGhl ciBTY2h1bHR6IDxjaHJpc0BjaHJpc3RvcGhlcnNjaHVsdHoubmV0PsLBegQTAQgAJAIbLwUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCT6mETgIZAQAKCRDzrVyUpn9wflkxD/9IsahRqHTV /hH5nuPqVO692cQqHvPtMPO6lDb4909VN5T1i+1hFr80P0KVDL6EI78lDBJ2TThWI0o5vFdm sRlei59wsgTvkKTph5QwwOWl7OyzUDX3WbKhkNQdGf4I+/g/1s2bHaRoG30ELdL7cwUPCPrW 0KQwBy7Rtr0WbdujKOw9b/UcgyXEOE1wNcorq/E1o5/6BRYIcFQOO4sjHjGcChOpSg5ms4zb s+Xv3gOtLrbmOPRTXdvBxwJA6kkfQFHvI42kXYghTdqhBVPnHYPqUeavRsb+Yz3ghkZhj35i GfaGyXNwFBikCYjzIaj44NOkT1pU50MgIbjSJ+xoHnC20T942kekqp6wzqUM19Pa9ohsEdA1 Sf6/A7RmpZRrxSIY02ZVnGccnVjglnylVcnxrNAZC3ebxCeZPQ09FBR0Uqlsrdt7A3hlEP2F aoMTSa+hYqfWBGB7uZhcJZIsZspxm8J0txeOzYNSFDl7mF134ShRsq6dpSugCdcdeSWKliBz q0U8sIabOFLMxM0hbwkn2RG4OaurJLWXQf+7IhA/J8TizjkbdxLmR2PiTiVtrx484mpWpbF8 po/em0q/reFnL+JtOM6qlJE/Q4B6PfkchhU5vKPfmGw98t9guyw5G8YSR1rR+SOowHg4T/i2 Rezz1idKmoFpPdNFRPlOAC+d687BTQRPqYM+ARAAzEItVpzvcgZB+faUWi54lJoA8GnVxXEe OQY+7wk/P5i9GtL0UVXC53j2F87BDVXGalKgVjEVdNY3Cyx+dJ2os65gjxd6ZK18zc6N7YZB Z00XNU9nTz5XImZzHn4VmeXYMQrKO/981nCNPlV6CVdgGg9wl1Ij5Sh8SSTb8kWSo1ngx+XX 4yJNUbfSh32yMPVGI7ZcoZLm9gdgTOOnuEkeeGs/lPvYN+1Cv/YtvkPybSOSWSdHxIVU4Iko 6V7IkM1amjdwKfoeg+CLhZsbY7VLAzVtGvaF5z4rtJtCfTfhbYD0wS8afEBcvsew1HdtYDT5 AJqojeZBGDuY7JCgALc3HCy34Zzk+mi1qwvrm5i/CBMuIvjxB2MkzhHQNUD20fzdRcoIgw4J IzbqZLlOpVFehDXzKT/h5vh+Uv7s6Rz5gP5i0Rkcghw00mRBvuN8mpQnLt4hYL22cNh/tk0L Fxda7ZaPehu7ug4E5FEB0Ifm1KV18P7Kpfu8tiSLz7rl++x73o4uv4bk1ZnjO/jFsx0KLGwq VxR276ZIwsV4WpLYvJ5fR0kqqd/TOKXGSEA0eGxWTeb/fNtkYemRVoasB1+rqjh/Rz0p20o8 elkqDhpzzhrMNzEMYkLySu7npWCeWW4Nd6097+OG9BCLO+ndGmAcupdu6WMEj2UlWsQxuCYC PgsAEQEAAcLDfgQYAQgACQUCT6mDPgIbLgIpCRDzrVyUpn9wfsFdIAQZAQgABgUCT6mDPgAK CRAc8Ck/pTykWO6WD/0XlAG4D4GwzzuOfh7DG6cm/I0vmASEJkY5ghStW4GUbYosgS/btyj/ YPWzVh4HWMvuA6YYKCuz/CM3h34dR25XmHqUdOyJOCnMJ3psdv5YsytgnEdvINZALlDdBX3G sfytgS0KnVjAc92LfJOxHAsZf4zE3SU28FMX7jCgeqO3YrvkHsZ8dzzgw3QYT0J3NcYfkflb DPBXBDGrvdUuea/w6F17pctdRdt7jE3JiLFq2F9ehXOSsIwecUlqVYiCRuxblD4cJ6gKMn0y 8zllW4GyIbf/+mNLkpKoMPYnptDvcEojluHtwbkSfF5AwgJbm6pfs9a2vpGBVko+dBXGh4/T 3qNYxeGEAsI0psEJu3EZN9dYv/ZOb69DUJ6SwEKp/L7lU7C8HoLx/MpKtuJO9OS5uuAhdBSi GqfaN9zP2NxPXSwnexVK2exy/h5sUevDsnBEHmyxe5GRSrIilyijLtlYhq2W7G95poxIFZuL Db98R+7VR9Yl9uOZ6kRBJmzp9X2oB8MDHoKe4QEuiRx/5/DNxB8i2QoTWN/BfluTSfVpO5rf jSXlaUuFOnouBrWdmbaBdg+47m4IGEz129Zdf+y+ISexQ6P16ZY1oYxYlbQSaEwk0+TJ4B0C uvMHwPF3SDH2LeRx+mK2OvwnVulvj2+WdW/rIVgwhwbKmBLj40R+Uq4zD/4iRxJ5PF1ynjxR po3Izp/ZrYWrPgtBg0jUZ8DdlAiRHCFGPpccK8RvBWXmtzF4XQsV39aPBqcE3W6IcTnIMrDi 6mnqealpfiUq+4RGNfRFN9wtgViZLy/FRWi76k+vo/Jmp7/K9JblGX48D2JL9FX0w5PXkpE4 abmY1OASQUiwoJ4n1asxwEonSaWeYbI7X5IqdvevGyfYdSn4VEywdrYGtWjsWlZ/DPofPwsI bQXGY6o+wg9lDAk2L2nVTa05XuyOooUPwKLD0WrLOIxLmcbVv/tgJG03/uI4iDitSofTKnpz E+xdpfFIyw1Mb8PO4WJi0gpHmmLUbG8AMLS+8wSDFwIA4TXQFy9suXXzLuuzML+G5h9Mo5D6 q5HsIe59lhdwk7oEPZJ1NWLfLavTENQg5ObS2YT1KaFskFxxgtcU0aBytAxTjkgGRB8UunXl NJeCuTIAUxXw41P93V4Khigc5dEOG1kEDoq0dAlAE7AbL6Vzc/Go+UwivtUil3sXADOyM9PT JjLNnye+2V0ywQncJ1AG6sxICpPKzv8oYP6xwurEuKnF8DAWEHEwT+Fb277Idv1v8uMGvltp coe7olE0O+TRUtMEwtEp4g4m8ym1rJI/yfwXtHkS8QcVBA9LRqcWEna1VPlT1pk3BSq/1xQa F/4OLScBfV2JbF93sN0SLw== Subject: Using CsrfPreventionFilter with GET-based
submissions Message-ID: Date: Fri, 8 Nov 2019 13:57:42 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:55.0) Gecko/20100101 Thunderbird/55.0a1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All, I'm playing with the CsrfPreventionFilter and things are working well in the following situations: link text and ... As long as the URL has been passed through request.encodeURL(). However, this one is causing me a problem:
...
This builds a form like this:
...
Neither Firefox nor Chrome will send the query string present in a
action attribute if the method="GET". The method must be "POST" in order for this to be sent. This is due to the HTML standard[1]. Short of changing all methods to "POST", is there any way around this? I have read the code for CsrfPreventionFilter and it does not appear that the nonce if stored anywhere except in the CsrfResponseWrapper for the request (and the session's nonce cache, but that isn't request-specific). Would it be inappropriate to add the CSRF_NONCE to the request attributes so that application code could use it directly if necessary? Something like this: ... " />
- -chris [1] https://www.w3.org/TR/html401/interact/forms.html#h-17.13.3.4 -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3FuqUACgkQHPApP6U8 pFiRNg/+IIcX8T9/gdui3oGLn3oTWcL2wufs5XN8FUsyYkm9R0Pgj2tzfyHVykF9 Lqr+jYw6wBmNAo/j319+Wcv7YfN/JHSTKOITvPuquQST4pXYOfYVl4SRBXuqJ7bs gI2hTcyH2eUGSk6mSfjD+F4RQ2uigKQgnTXp1XTmFgEW5An/LPxY6o6ruEJ3RbSW ceaO9hR4NSBbtB2urT6JsKPAiuZvOy9qELRBoVc54vNLoTqPe2oNUx4AHnq2cRuE eKhegWlyj+XYVcVDEK0SK1irmgiN6YVc6Cxyy0QD+pEf0SvPwXeRtvS+3Ucjfpnv nQSZDUbia/lXNktMnCiSl3c/ZEfo2AS9br/dlHbWCu5y8ugngaIHrbFPTU5QLNEP 0mFjvMYCm4QIqu79/qOyPzDReNpWBuqsLNXfJLbhBG6MuCWLhSzHOLQnmoXb2hmg 60vX9/B1/AgZkOv5Uv2EL/AqvyMLH9SnxuR7RVSf4FFoGD8PLpxCGruskb5HoYAr IVyLxhzvvbE/ViXXGlwXcfuwaS1EgOXhWZqM+rl8wT1MhHnYd/SX5uGRHqjd43gO fuOphdHNC+G5ErCyYqy4urvxyP9vuhipU43O1eUDQV+rRAdI6m+q26gTgA8U+D7i LgJ0ZYGj+pzWi7SHyBoKIcA8u1vJrZqBFC6Fa9jlpHgQ/A/1Rtg= =Ehsd -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org