-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Peter,
On 11/10/19 19:05, Peter Kreuser wrote: > Chris, > >> >> Am 09.11.2019 um 03:58 schrieb Christopher Schultz >> <ch...@christopherschultz.net>: >> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> All, >> >> I'm playing with the CsrfPreventionFilter and things are working >> well in the following situations: >> >> <a href="url">link text</a> >> >> and >> >> <form method="post" action="url"> ... </form> >> >> As long as the URL has been passed through request.encodeURL(). >> >> However, this one is causing me a problem: >> >> <form method="GET" action="url"> ... </form> >> >> This builds a form like this: >> >> <form method="GET" >> action="https://host/path?org.apache.catalina.filters.CSRF_NONCE=[... ]"> >> >> ... >> </form> >> >> Neither Firefox nor Chrome will send the query string present in >> a <form> action attribute if the method="GET". The method must be >> "POST" in order for this to be sent. This is due to the HTML >> standard[1]. >> >> Short of changing all <form> methods to "POST", is there any way >> around this? >> >> I have read the code for CsrfPreventionFilter and it does not >> appear that the nonce if stored anywhere except in the >> CsrfResponseWrapper for the request (and the session's nonce >> cache, but that isn't request-specific). >> >> Would it be inappropriate to add the CSRF_NONCE to the request >> attributes so that application code could use it directly if >> necessary? Something like this: >> >> <form method="get" action="url"> ... <input type="hidden" >> name="org.apache.catalina.filters.CSRF_NONCE" value="<%= >> request.getAttribute("CSRF_NONCE") %>" /> </form> > > If i remember correctly, this is the way struts handles CSRF > Tokens. I'm not sure what Struts has to do with this. I'm using Tomcat's CSRF filter which apparently cannot work with GET-based forms. I'm not saying that a GET-based form is a good idea, but we have a bunch of them so I'm looking into how they can be effectively used with this implementation of a CSRF filter. I'm really surprised this hasn't come up, yet. Maybe nobody actually implements CSRF protection, or maybe nobody uses Tomcat's filter to do it, or maybe nobody uses GET-based HTML <form>s. But I can't believe that I'm the only person in the world who is trying to use all three at once. > However there the nonce comes directly from the session . Not > request. The nonces are stored in the session, otherwise this wouldn't work. But each request generates a new nonce, and that one would be the "request's nonce". - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3K7UkACgkQHPApP6U8 pFhZBRAAkrD4pr+agtuxblW/UA8ylVm6pceqTmlz8ki39I7k7T5fjgm+Yg1mjG9R VgQNI/v0y94rQ3cCjIerUxTTNHTzgHUi2uRk9sSsnTsRXC4W+8wdRSojDSq9j1AB z4ZQI3t5Z8+e9RWBDrYOd2TkvW93aGiMzOpcnashvJkhUSDR5102RJtvoz1yAK7r Rwzv8feSJRy3/rxjiqQvHYdBH9DeRXVGH0CTP6KZ/+e/icFw0nnH3e+Jrh3+k5du fIUi/97JPT0hxkkJbNkKsOJ3P/D4kqzKnbo6WqFr4UwYMCiJizNNTuu+3pG6LAjn qTow+EL6/sG3Dtt/VCexyhC7jXdGjcrMDpxcXZx6NwiFxppK2kGWVMi7zKz4qm3X ZLR1zSsfzRhUnVPmdjYUAtDonhCbWW+FdQmBtGhGhH7+3wOeXrGpBeWcAq7jjGoD rgKQJMKUEN0PMH8j63tgp86Te6zhJCG23/ttBqFTLvP6XWbfHn6KoMFrwSMz8Spz EyFDBJihspuFncOMjEJ5kPLmJzs2x811VVkMOBA3BPqIrN2qteTIja9+t3ismo4+ iBf0sV0q74HL24wvyAfONArae52vFmg4wJLiN38tztNLdoblJpTjqRs04gQ+Q0+5 u4KKouD6Oz37Zo1Z7IS/HezmfGwYRrZn96CgPzfam4ZQp4Hldi8= =mYsp -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
