This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new d9fb319 Add debug logging. Based on a PR by Polina Georgieva
d9fb319 is described below
commit d9fb31905132df032aa9b8f59441744040aa3ad3
Author: Mark Thomas <[email protected]>
AuthorDate: Thu Nov 25 19:02:35 2021 +0000
Add debug logging. Based on a PR by Polina Georgieva
---
.../catalina/filters/LocalStrings.properties | 3 +++
.../catalina/filters/RestCsrfPreventionFilter.java | 29 ++++++++++++++++------
webapps/docs/changelog.xml | 4 +++
3 files changed, 29 insertions(+), 7 deletions(-)
diff --git a/java/org/apache/catalina/filters/LocalStrings.properties
b/java/org/apache/catalina/filters/LocalStrings.properties
index 5877b76..31f7bd0 100644
--- a/java/org/apache/catalina/filters/LocalStrings.properties
+++ b/java/org/apache/catalina/filters/LocalStrings.properties
@@ -62,7 +62,10 @@ remoteIpFilter.invalidRemoteAddress=Unable to determine the
remote host because
requestFilter.deny=Denied request for [{0}] based on property [{1}]
+restCsrfPreventionFilter.fetch.debug=CSRF Fetch request is successfully
handled - nonce is added to the response. Request method: [{0}] and URI [{1}].
restCsrfPreventionFilter.invalidNonce=CSRF nonce validation failed
+restCsrfPreventionFilter.invalidNonce.debug=CSRF validation for REST failed!
Request with method [{0}] and URI [{1}] will be rejected. Details: request has
session ID [{2}]; requested session exists [{3}]; csrf nonce in request exists
[{4}]; csrf nonce in session exists [{5}].
+restCsrfPreventionFilter.multipleNonce.debug=Different CSRF nonces are sent as
request parameters, none of them will be used. Request method: [{0}] and URI
[{1}].
webDavFilter.xpProblem=WebdavFixFilter: the XP-x64-SP2 client is known not to
work with WebDAV Servlet
webDavFilter.xpRootContext=WebdavFixFilter: the XP-x64-SP2 client will only
work with the root context
diff --git a/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java
b/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java
index 78769ce..b7811bb 100644
--- a/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java
@@ -144,16 +144,24 @@ public class RestCsrfPreventionFilter extends
CsrfPreventionFilterBase {
@Override
public boolean apply(HttpServletRequest request, HttpServletResponse
response)
throws IOException {
- if (isValidStateChangingRequest(
- extractNonceFromRequest(request),
- nonceFromSession.getNonce(request.getSession(false),
Constants.CSRF_REST_NONCE_SESSION_ATTR_NAME))) {
+
+ String nonceRequest = extractNonceFromRequest(request);
+ HttpSession session = request.getSession(false);
+ String nonceSession = nonceFromSession.getNonce(session,
Constants.CSRF_REST_NONCE_SESSION_ATTR_NAME);
+
+ if (isValidStateChangingRequest(nonceRequest, nonceSession)) {
return true;
}
nonceToResponse.setNonce(response,
Constants.CSRF_REST_NONCE_HEADER_NAME,
Constants.CSRF_REST_NONCE_HEADER_REQUIRED_VALUE);
- response.sendError(getDenyStatus(),
- sm.getString("restCsrfPreventionFilter.invalidNonce"));
+ response.sendError(getDenyStatus(),
sm.getString("restCsrfPreventionFilter.invalidNonce"));
+
+ if (getLogger().isDebugEnabled()) {
+
getLogger().debug(sm.getString("restCsrfPreventionFilter.invalidNonce.debug",
request.getMethod(),
+ request.getRequestURI(),
Boolean.valueOf(request.getRequestedSessionId() != null),
+ session, Boolean.valueOf(nonceRequest != null),
Boolean.valueOf(nonceSession != null)));
+ }
return false;
}
@@ -174,12 +182,15 @@ public class RestCsrfPreventionFilter extends
CsrfPreventionFilterBase {
}
private String extractNonceFromRequestParams(HttpServletRequest
request) {
- String[] params = nonceFromRequestParams.getNonce(request,
- Constants.CSRF_REST_NONCE_HEADER_NAME);
+ String[] params = nonceFromRequestParams.getNonce(request,
Constants.CSRF_REST_NONCE_HEADER_NAME);
if (Objects.nonNull(params) && params.length > 0) {
String nonce = params[0];
for (String param : params) {
if (!Objects.equals(param, nonce)) {
+ if (getLogger().isDebugEnabled()) {
+
getLogger().debug(sm.getString("restCsrfPreventionFilter.multipleNonce.debug",
+ request.getMethod(),
request.getRequestURI()));
+ }
return null;
}
}
@@ -205,6 +216,10 @@ public class RestCsrfPreventionFilter extends
CsrfPreventionFilterBase {
}
nonceToResponse.setNonce(response,
Constants.CSRF_REST_NONCE_HEADER_NAME,
nonceFromSessionStr);
+ if (getLogger().isDebugEnabled()) {
+
getLogger().debug(sm.getString("restCsrfPreventionFilter.fetch.debug",
+ request.getMethod(), request.getRequestURI()));
+ }
}
return true;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 4d495d0..6524485 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -128,6 +128,10 @@
<code>org.apache.juli.AsyncLoggerPollInterval</code>. If set, this
property now has no effect. (markt)
</update>
+ <add>
+ Add debug logging to the <code>RestCsrfPreventionFilter</code>. Based
on
+ pull request <pr>452</pr> by Polina Georgieva. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
