[Owasp-csrfguard] "multipart/form-data" form not working on Java

Eric Sheridan eric.sheridan at owasp.org
Tue Feb 22 16:36:14 EST 2011


Marcos,

Unfortunately, JavaEE 5 and below do not have built in support for
multipart requests. JavaEE 6 exposes API for working with multipart
requests (ex: request.getPart) so it should work out of the box. Please
note that is an untested claim.

To properly fix this, CSRFGuard would have to support multi-part
requests similar to the strategy you are taking. No quick fix for this
one, unfortunately. Let me know how your effort goes. I'd like to use it
as a reference for CSRFGuard, if possible.

-Eric

On 2/18/11 11:45 AM, Marcos Felipe wrote:
> Hi there,
> 
> I'm mailing to you as last resort, I could not find anything on the web
> about this issue on CSRFGuard for java.
> 
> The thing is: if your form have enctype="multipart/form-data",
> HttpServletRequest.getParameter() method will always return null and
> CSRFGuard will never find the key.
> 
> I'm trying to fix it using Oreilly's MultipartRequest (
> http://www.servlets.com/cos/index.html), but I don't know if this is the
> best approach.
> 
> Did anyone ever saw this?
> 
> Thanks and best regards,
> Marcos
> 
> 
> 
> 
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard



More information about the Owasp-csrfguard mailing list