[Owasp-csrfguard] Possible bug in InterceptRedirectResponse class

Gaurav Katiyar kgarryster at gmail.com
Mon Nov 5 14:16:18 UTC 2012


Just noticed that there is already a pull request from jason-lindquist
which addresses this bug (#30).

Any Ideas when this will be merged to the master.

Thanks,

On 5 November 2012 13:27, Eric Sheridan <eric.sheridan at owasp.org> wrote:
> I think you understand it correctly. Care to submit a patch/pull request?
>
> Sincerely,
> Eric Sheridan
> (twitter) @eric_sheridan
> (blog) http://ericsheridan.blogspot.com
>
> On 11/5/12 7:47 AM, Gaurav Katiyar wrote:
>> Hi All,
>>
>> I am using the CSRF Guard project in a web application and I think
>> there is a bug in the latest code.
>>
>> https://github.com/esheri3/OWASP-CSRFGuard/blame/master/Owasp.CsrfGuard/src/org/owasp/csrfguard/http/InterceptRedirectResponse.java
>>
>> The class InterceptRedirectResponse on line 21 has the following
>>
>> if (!location.contains("://") && (csrfGuard.isProtectedPage(location)
>> || csrfGuard.isUnprotectedMethod("GET"))) {
>>
>> // code to add the token to the redirected URL
>>
>> }
>>
>> which says if redirect is to same domain and if page is protected or
>> GET is not protected then add the token to the URL
>>
>> but I think it should be
>>
>> if redirect is to same domain and if the page is protected and GET is
>> protected then add the csrf token.
>>
>> if (!location.contains("://") && csrfGuard.isProtectedPage(location)
>> && !csrfGuard.isUnprotectedMethod("GET")) {
>>
>> // code to add the token to the redirected URL
>>
>> }
>>
>> Have I understood this incorrectly?
>>
>> Please help.
>>
>> Thanks,
>> Gaurav
>> _______________________________________________
>> Owasp-csrfguard mailing list
>> Owasp-csrfguard at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard


More information about the Owasp-csrfguard mailing list