[Owasp-csrfguard] Redirect with token not working when query parameters present and TokenPerPage=true
pradtke at stanford.edu
Wed Jul 6 13:58:09 EDT 2011
I'm not sure how to submit a patch via github so I've attached one here.
I didn't see any place for unit tests in the current code base, so my
manual in one of our apps.
On 7/5/11 5:07 PM, Patrick Radtke wrote:
> I needed support for appending the CSRF token as part of a redirect.
> I saw this feature was available in git, but there is a bug that prevents it
> from working when query parameters are present.
> Basically 'isValidRequest' ignores query params, while 'getTokenValue'
> I access
> which redirects to
> After adding CSRF Guard
> I access
> the per page token is stored under the key '/AccountApp/editmf'
> The redirect is to '/AccountApp/editmf?execution=e1s1' which
> doesn't match the key, so the session token is used to construct the
> redirect url
> This happens in 'getTokenValue()'
> However, when isValidRequest after the redirect, only
> '/AccountApp/editmf' is used to check the pageTokens map,
> so the token no longer matches.
> The 'location' needs the query params stripped off. I'm not familiar enough
> with servlets to know if there is standard call to do that.
> (approx line 75 of CsrfGuardFilter)
> String location = redirectResponse.getLocation()
> This all works fine if TokenPerPage=false.
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the Owasp-csrfguard