[Owasp-csrfguard] Possible bug in InterceptRedirectResponse class

Gaurav Katiyar kgarryster at gmail.com
Mon Nov 5 12:47:26 UTC 2012


Hi All,

I am using the CSRF Guard project in a web application and I think
there is a bug in the latest code.

https://github.com/esheri3/OWASP-CSRFGuard/blame/master/Owasp.CsrfGuard/src/org/owasp/csrfguard/http/InterceptRedirectResponse.java

The class InterceptRedirectResponse on line 21 has the following

if (!location.contains("://") && (csrfGuard.isProtectedPage(location)
|| csrfGuard.isUnprotectedMethod("GET"))) {

// code to add the token to the redirected URL

}

which says if redirect is to same domain and if page is protected or
GET is not protected then add the token to the URL

but I think it should be

if redirect is to same domain and if the page is protected and GET is
protected then add the csrf token.

if (!location.contains("://") && csrfGuard.isProtectedPage(location)
&& !csrfGuard.isUnprotectedMethod("GET")) {

// code to add the token to the redirected URL

}

Have I understood this incorrectly?

Please help.

Thanks,
Gaurav


More information about the Owasp-csrfguard mailing list