This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push: new d9fb319 Add debug logging. Based on a PR by Polina Georgieva d9fb319 is described below commit d9fb31905132df032aa9b8f59441744040aa3ad3 Author: Mark Thomas <ma...@apache.org> AuthorDate: Thu Nov 25 19:02:35 2021 +0000 Add debug logging. Based on a PR by Polina Georgieva --- .../catalina/filters/LocalStrings.properties | 3 +++ .../catalina/filters/RestCsrfPreventionFilter.java | 29 ++++++++++++++++------ webapps/docs/changelog.xml | 4 +++ 3 files changed, 29 insertions(+), 7 deletions(-) diff --git a/java/org/apache/catalina/filters/LocalStrings.properties b/java/org/apache/catalina/filters/LocalStrings.properties index 5877b76..31f7bd0 100644 --- a/java/org/apache/catalina/filters/LocalStrings.properties +++ b/java/org/apache/catalina/filters/LocalStrings.properties @@ -62,7 +62,10 @@ remoteIpFilter.invalidRemoteAddress=Unable to determine the remote host because requestFilter.deny=Denied request for [{0}] based on property [{1}] +restCsrfPreventionFilter.fetch.debug=CSRF Fetch request is successfully handled - nonce is added to the response. Request method: [{0}] and URI [{1}]. restCsrfPreventionFilter.invalidNonce=CSRF nonce validation failed +restCsrfPreventionFilter.invalidNonce.debug=CSRF validation for REST failed! Request with method [{0}] and URI [{1}] will be rejected. Details: request has session ID [{2}]; requested session exists [{3}]; csrf nonce in request exists [{4}]; csrf nonce in session exists [{5}]. +restCsrfPreventionFilter.multipleNonce.debug=Different CSRF nonces are sent as request parameters, none of them will be used. Request method: [{0}] and URI [{1}]. webDavFilter.xpProblem=WebdavFixFilter: the XP-x64-SP2 client is known not to work with WebDAV Servlet webDavFilter.xpRootContext=WebdavFixFilter: the XP-x64-SP2 client will only work with the root context diff --git a/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java b/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java index 78769ce..b7811bb 100644 --- a/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java @@ -144,16 +144,24 @@ public class RestCsrfPreventionFilter extends CsrfPreventionFilterBase { @Override public boolean apply(HttpServletRequest request, HttpServletResponse response) throws IOException { - if (isValidStateChangingRequest( - extractNonceFromRequest(request), - nonceFromSession.getNonce(request.getSession(false), Constants.CSRF_REST_NONCE_SESSION_ATTR_NAME))) { + + String nonceRequest = extractNonceFromRequest(request); + HttpSession session = request.getSession(false); + String nonceSession = nonceFromSession.getNonce(session, Constants.CSRF_REST_NONCE_SESSION_ATTR_NAME); + + if (isValidStateChangingRequest(nonceRequest, nonceSession)) { return true; } nonceToResponse.setNonce(response, Constants.CSRF_REST_NONCE_HEADER_NAME, Constants.CSRF_REST_NONCE_HEADER_REQUIRED_VALUE); - response.sendError(getDenyStatus(), - sm.getString("restCsrfPreventionFilter.invalidNonce")); + response.sendError(getDenyStatus(), sm.getString("restCsrfPreventionFilter.invalidNonce")); + + if (getLogger().isDebugEnabled()) { + getLogger().debug(sm.getString("restCsrfPreventionFilter.invalidNonce.debug", request.getMethod(), + request.getRequestURI(), Boolean.valueOf(request.getRequestedSessionId() != null), + session, Boolean.valueOf(nonceRequest != null), Boolean.valueOf(nonceSession != null))); + } return false; } @@ -174,12 +182,15 @@ public class RestCsrfPreventionFilter extends CsrfPreventionFilterBase { } private String extractNonceFromRequestParams(HttpServletRequest request) { - String[] params = nonceFromRequestParams.getNonce(request, - Constants.CSRF_REST_NONCE_HEADER_NAME); + String[] params = nonceFromRequestParams.getNonce(request, Constants.CSRF_REST_NONCE_HEADER_NAME); if (Objects.nonNull(params) && params.length > 0) { String nonce = params[0]; for (String param : params) { if (!Objects.equals(param, nonce)) { + if (getLogger().isDebugEnabled()) { + getLogger().debug(sm.getString("restCsrfPreventionFilter.multipleNonce.debug", + request.getMethod(), request.getRequestURI())); + } return null; } } @@ -205,6 +216,10 @@ public class RestCsrfPreventionFilter extends CsrfPreventionFilterBase { } nonceToResponse.setNonce(response, Constants.CSRF_REST_NONCE_HEADER_NAME, nonceFromSessionStr); + if (getLogger().isDebugEnabled()) { + getLogger().debug(sm.getString("restCsrfPreventionFilter.fetch.debug", + request.getMethod(), request.getRequestURI())); + } } return true; } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 4d495d0..6524485 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -128,6 +128,10 @@ <code>org.apache.juli.AsyncLoggerPollInterval</code>. If set, this property now has no effect. (markt) </update> + <add> + Add debug logging to the <code>RestCsrfPreventionFilter</code>. Based on + pull request <pr>452</pr> by Polina Georgieva. (markt) + </add> </changelog> </subsection> <subsection name="Coyote"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org