[Owasp-csrfguard] uploading files

Eric Sheridan eric.sheridan at owasp.org
Mon Apr 4 11:13:45 EDT 2011


Eike,

Welcome to the list and thanks for helping test out the newly added
multipart support. Looks like I really need to revisit the multi-part
support code and associated test cases. I'm not sure the "/** skip files
**/" part matters as I (possibly incorrectly) thought that higher level
classes would call getInputStream and parse it into their own Multipart
request object as Spring does.

I'm going to take a much closer look at how the Spring guys did it. I'm
adding this to the GitHub issues as we speak. If you have time/interest,
please feel free to take a crack at this and I'd gladly integrate your
changes into the baseline along with appropriate attribution.

-Eric

On 3/29/11 3:09 AM, Eike Hirsch wrote:
> Hi Eric, hi list,
> 
> this is my first post - thanks for this project!
> 
> For the background:  I am trying to integrate the csrf-gurad in a yui3 - spring mvc application.
> 
> With the multipart stuff in place I had a hard time fixing my upload-forms. I was able to secure the upload now but it seemed that the csrf-filter always removed the uploaded files out of the request. 
> So dove a little bit into the sources. I think there might be a problem in org.owasp.csrfguard.http.MultipartHttpServletRequest:
> 
> --- 
> public MultipartHttpServletRequest(HttpServletRequest request) throws IOException {
> ...
> 	if(fileItem.isFormField()) {
> 		List<String> values = parameters.get(fileItem.getFieldName());
> 					
> 		if(values == null) {
> 			values = new ArrayList<String>();
> 			parameters.put(fileItem.getFieldName(), values);
> 		}
> 					
> 		values.add(fileItem.getString());
> 	} else {
> 		/** skip files **/                                                      <----------------------------- ???
> 	}
>> }
> ---
> skip files???? 
> 
> I don't know if this is really a problem but after wrapping the request in this wrapper - spring was not able to extract any files out of the request anymore. For a quick fix I changed the csrf-filter in line 60. 
> 
> old:
> 	httpRequest = new MultipartHttpServletRequest(httpRequest);
> new:
> 	httpRequest = new CommonsMultipartResolver().resolveMultipart(httpRequest);
> 
> 
> The CommonsMultipartResolver is a spring class, so I guess this will not fix the general problem. But if there was a way to plugin a MultipartResolver as needed. This problem could get fixed - I guess.
> The filter could get a setter for its resolver, which in turn would need to implement a new csrf-guard interface (something like springs org.springframework.web.multipart.MultipartResolver).
> With such a resolver in place the filter would be able to cleanup any temporary files created during "resolveMultipart" once the filter chain finishes. 
> 
> Any thoughts?
> 
> Eike  
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard



More information about the Owasp-csrfguard mailing list