[Owasp-csrfguard] Possible bug in InterceptRedirectResponse class

Eric Sheridan eric.sheridan at owasp.org
Mon Nov 5 13:27:28 UTC 2012


I think you understand it correctly. Care to submit a patch/pull request?

Sincerely,
Eric Sheridan
(twitter) @eric_sheridan
(blog) http://ericsheridan.blogspot.com

On 11/5/12 7:47 AM, Gaurav Katiyar wrote:
> Hi All,
> 
> I am using the CSRF Guard project in a web application and I think
> there is a bug in the latest code.
> 
> https://github.com/esheri3/OWASP-CSRFGuard/blame/master/Owasp.CsrfGuard/src/org/owasp/csrfguard/http/InterceptRedirectResponse.java
> 
> The class InterceptRedirectResponse on line 21 has the following
> 
> if (!location.contains("://") && (csrfGuard.isProtectedPage(location)
> || csrfGuard.isUnprotectedMethod("GET"))) {
> 
> // code to add the token to the redirected URL
> 
> }
> 
> which says if redirect is to same domain and if page is protected or
> GET is not protected then add the token to the URL
> 
> but I think it should be
> 
> if redirect is to same domain and if the page is protected and GET is
> protected then add the csrf token.
> 
> if (!location.contains("://") && csrfGuard.isProtectedPage(location)
> && !csrfGuard.isUnprotectedMethod("GET")) {
> 
> // code to add the token to the redirected URL
> 
> }
> 
> Have I understood this incorrectly?
> 
> Please help.
> 
> Thanks,
> Gaurav
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
> 


More information about the Owasp-csrfguard mailing list