isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437905241
##########
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##########
@@ -110,45 +285,70 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
HttpSession session = req.getSession(false);
+ String requestedPath = getRequestedPath(req);
boolean skipNonceCheck = skipNonceCheck(req);
NonceCache<String> nonceCache = null;
if (!skipNonceCheck) {
String previousNonce =
req.getParameter(nonceRequestParameterName);
if (previousNonce == null) {
- if (log.isDebugEnabled()) {
- log.debug("Rejecting request for " +
getRequestedPath(req) + ", session " +
- (null == session ? "(none)" : session.getId())
+
- " with no CSRF nonce found in request");
- }
-
- res.sendError(getDenyStatus());
- return;
- }
+ if (enforce(req, requestedPath)) {
+ if (log.isDebugEnabled()) {
+ log.debug("Rejecting request for " +
getRequestedPath(req) + ", session " +
Review Comment:
I personally think that the code is cleaner and easier to maintain when
repetitive blocks are encapsulated in a function, but do I "really think it
needs it"? Nahh - your code, your decision :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
