Re: [PR] Csrf filter improvements [tomcat]

via GitHub Thu, 21 Dec 2023 13:04:39 -0800


michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1434512783



##########
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##########
@@ -198,15 +416,27 @@ protected boolean skipNonceCheck(HttpServletRequest 
request) {
 
         String requestedPath = getRequestedPath(request);
 
-        if (!entryPoints.contains(requestedPath)) {
-            return false;
+        if (entryPoints.contains(requestedPath)) {
+            if (log.isTraceEnabled()) {
+                log.trace("Skipping CSRF nonce-check for GET request to entry 
point " + requestedPath);
+            }
+
+            return true;
         }
 
-        if (log.isTraceEnabled()) {
-            log.trace("Skipping CSRF nonce-check for GET request to entry 
point " + requestedPath);
+        if (null != noNoncePredicates && !noNoncePredicates.isEmpty()) {
+            for (Predicate<String> p : noNoncePredicates) {
+                if (p.test(requestedPath)) {
+                    if (log.isTraceEnabled()) {
+                        log.trace("Skipping CSRF nonce-check for GET request 
to no-nonce path " + requestedPath);

Review Comment:
   Agreed.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [PR] Csrf filter improvements [tomcat]

Reply via email to