[Owasp-csrfguard] Possible bug in InterceptRedirectResponse class

Jason.Lindquist at securian.com Jason.Lindquist at securian.com
Mon Nov 5 13:51:38 UTC 2012


See the following pull request which fixes this issue: 
https://github.com/esheri3/OWASP-CSRFGuard/pull/30 



Jason C Lindquist
Sr. Analyst, Development Support, Information Technology  ?  Securian 
Financial Group
400 Robert Street North  ?  St. Paul, MN 55101-2098
651-665-5771
jason.lindquist at securian.com  ?  www.securian.com

Securian Financial Group ? Financial security for the long run ®


This email transmission and any file attachments may contain confidential 
information intended solely for the use of the individual or entity to 
whom it is addressed. If you have received this email message in error, 
please notify the sender and delete this email from your system. If you 
are not the intended recipient, you may not disclose, copy, or distribute 
the contents of this email. 



From:   Eric Sheridan <eric.sheridan at owasp.org>
To:     owasp-csrfguard at lists.owasp.org
Date:   11/05/2012 07:27 AM
Subject:        Re: [Owasp-csrfguard] Possible bug in 
InterceptRedirectResponse       class
Sent by:        owasp-csrfguard-bounces at lists.owasp.org



I think you understand it correctly. Care to submit a patch/pull request?

Sincerely,
Eric Sheridan
(twitter) @eric_sheridan
(blog) http://ericsheridan.blogspot.com

On 11/5/12 7:47 AM, Gaurav Katiyar wrote:
> Hi All,
> 
> I am using the CSRF Guard project in a web application and I think
> there is a bug in the latest code.
> 
> 
https://github.com/esheri3/OWASP-CSRFGuard/blame/master/Owasp.CsrfGuard/src/org/owasp/csrfguard/http/InterceptRedirectResponse.java

> 
> The class InterceptRedirectResponse on line 21 has the following
> 
> if (!location.contains("://") && (csrfGuard.isProtectedPage(location)
> || csrfGuard.isUnprotectedMethod("GET"))) {
> 
> // code to add the token to the redirected URL
> 
> }
> 
> which says if redirect is to same domain and if page is protected or
> GET is not protected then add the token to the URL
> 
> but I think it should be
> 
> if redirect is to same domain and if the page is protected and GET is
> protected then add the csrf token.
> 
> if (!location.contains("://") && csrfGuard.isProtectedPage(location)
> && !csrfGuard.isUnprotectedMethod("GET")) {
> 
> // code to add the token to the redirected URL
> 
> }
> 
> Have I understood this incorrectly?
> 
> Please help.
> 
> Thanks,
> Gaurav
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
> 
_______________________________________________
Owasp-csrfguard mailing list
Owasp-csrfguard at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-csrfguard

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20121105/0a807104/attachment.html>


More information about the Owasp-csrfguard mailing list