isapir commented on code in PR #681: URL: https://github.com/apache/tomcat/pull/681#discussion_r1437905241
########## java/org/apache/catalina/filters/CsrfPreventionFilter.java: ########## @@ -110,45 +285,70 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha HttpSession session = req.getSession(false); + String requestedPath = getRequestedPath(req); boolean skipNonceCheck = skipNonceCheck(req); NonceCache<String> nonceCache = null; if (!skipNonceCheck) { String previousNonce = req.getParameter(nonceRequestParameterName); if (previousNonce == null) { - if (log.isDebugEnabled()) { - log.debug("Rejecting request for " + getRequestedPath(req) + ", session " + - (null == session ? "(none)" : session.getId()) + - " with no CSRF nonce found in request"); - } - - res.sendError(getDenyStatus()); - return; - } + if (enforce(req, requestedPath)) { + if (log.isDebugEnabled()) { + log.debug("Rejecting request for " + getRequestedPath(req) + ", session " + Review Comment: I personally think that the code is cleaner and easier to maintain when repetitive blocks are encapsulated in a function, but do I "really think it needs it"? Nahh - your code, your decision :) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org