[Owasp-csrfguard] Possible bug in InterceptRedirectResponse class

Eric Sheridan eric.sheridan at owasp.org
Mon Nov 5 16:24:22 UTC 2012


I just merged them - apologies for the delay.

Sincerely,
Eric Sheridan
(twitter) @eric_sheridan
(blog) http://ericsheridan.blogspot.com

On 11/5/12 9:16 AM, Gaurav Katiyar wrote:
> Just noticed that there is already a pull request from jason-lindquist
> which addresses this bug (#30).
> 
> Any Ideas when this will be merged to the master.
> 
> Thanks,
> 
> On 5 November 2012 13:27, Eric Sheridan <eric.sheridan at owasp.org> wrote:
>> I think you understand it correctly. Care to submit a patch/pull request?
>>
>> Sincerely,
>> Eric Sheridan
>> (twitter) @eric_sheridan
>> (blog) http://ericsheridan.blogspot.com
>>
>> On 11/5/12 7:47 AM, Gaurav Katiyar wrote:
>>> Hi All,
>>>
>>> I am using the CSRF Guard project in a web application and I think
>>> there is a bug in the latest code.
>>>
>>> https://github.com/esheri3/OWASP-CSRFGuard/blame/master/Owasp.CsrfGuard/src/org/owasp/csrfguard/http/InterceptRedirectResponse.java
>>>
>>> The class InterceptRedirectResponse on line 21 has the following
>>>
>>> if (!location.contains("://") && (csrfGuard.isProtectedPage(location)
>>> || csrfGuard.isUnprotectedMethod("GET"))) {
>>>
>>> // code to add the token to the redirected URL
>>>
>>> }
>>>
>>> which says if redirect is to same domain and if page is protected or
>>> GET is not protected then add the token to the URL
>>>
>>> but I think it should be
>>>
>>> if redirect is to same domain and if the page is protected and GET is
>>> protected then add the csrf token.
>>>
>>> if (!location.contains("://") && csrfGuard.isProtectedPage(location)
>>> && !csrfGuard.isUnprotectedMethod("GET")) {
>>>
>>> // code to add the token to the redirected URL
>>>
>>> }
>>>
>>> Have I understood this incorrectly?
>>>
>>> Please help.
>>>
>>> Thanks,
>>> Gaurav
>>> _______________________________________________
>>> Owasp-csrfguard mailing list
>>> Owasp-csrfguard at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>>>
>> _______________________________________________
>> Owasp-csrfguard mailing list
>> Owasp-csrfguard at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard


More information about the Owasp-csrfguard mailing list