You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by sc...@apache.org on 2019/11/19 17:55:15 UTC

[tomcat] branch master updated: Allow customization of the CSRF prevention filter's request parameter name.

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/master by this push:
     new 707e194  Allow customization of the CSRF prevention filter's request parameter name.
707e194 is described below

commit 707e1949cb4a9b7dc1430a41e28b8c72675dcced
Author: Christopher Schultz <ch...@christopherschultz.net>
AuthorDate: Tue Nov 19 12:54:45 2019 -0500

    Allow customization of the CSRF prevention filter's request parameter name.
---
 .../catalina/filters/CsrfPreventionFilter.java     | 24 +++++++++++++++++-----
 webapps/docs/changelog.xml                         |  5 +++--
 2 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index 8aace6b..8a09cfb 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -53,6 +53,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
 
     private int nonceCacheSize = 5;
 
+    private String nonceRequestParameterName = Constants.CSRF_NONCE_REQUEST_PARAM;
+
     /**
      * Entry points are URLs that will not be tested for the presence of a valid
      * nonce. They are used to provide a way to navigate back to a protected
@@ -83,6 +85,16 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
         this.nonceCacheSize = nonceCacheSize;
     }
 
+    /**
+     * Sets the request parameter name to use for CSRF nonces.
+     *
+     * @param parameterName The request parameter name to use
+     *        for CSRF nonces.
+     */
+    public void setNonceRequestParameterName(String parameterName) {
+        this.nonceRequestParameterName = parameterName;
+    }
+
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
         // Set the parameters
@@ -91,7 +103,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
         // Put the expected request parameter name into the application scope
         filterConfig.getServletContext().setAttribute(
                 Constants.CSRF_NONCE_REQUEST_PARAM_NAME_KEY,
-                Constants.CSRF_NONCE_REQUEST_PARAM);
+                nonceRequestParameterName);
 
         // Put the expected request header name into the application scope
         filterConfig.getServletContext().setAttribute(
@@ -131,7 +143,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
 
             if (!skipNonceCheck) {
                 String previousNonce =
-                    req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
+                    req.getParameter(nonceRequestParameterName);
 
                 if(previousNonce == null) {
                     if(log.isDebugEnabled()) {
@@ -196,7 +208,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
             // requiring the use of response.encodeURL.
             request.setAttribute(Constants.CSRF_NONCE_REQUEST_ATTR_NAME, newNonce);
 
-            wResponse = new CsrfResponseWrapper(res, newNonce);
+            wResponse = new CsrfResponseWrapper(res, nonceRequestParameterName, newNonce);
         } else {
             wResponse = response;
         }
@@ -208,10 +220,12 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
     protected static class CsrfResponseWrapper
             extends HttpServletResponseWrapper {
 
+        private final String nonceRequestParameterName;
         private final String nonce;
 
-        public CsrfResponseWrapper(HttpServletResponse response, String nonce) {
+        public CsrfResponseWrapper(HttpServletResponse response, String nonceRequestParameterName, String nonce) {
             super(response);
+            this.nonceRequestParameterName = nonceRequestParameterName;
             this.nonce = nonce;
         }
 
@@ -266,7 +280,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
             } else {
                 sb.append('?');
             }
-            sb.append(Constants.CSRF_NONCE_REQUEST_PARAM);
+            sb.append(nonceRequestParameterName);
             sb.append('=');
             sb.append(nonce);
             sb.append(anchor);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 42dbde9..84377f6 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -53,8 +53,9 @@
       </fix>
       <add>
         Improvements to CsrfPreventionFilter including additional
-        logging and making the latest nonce available in the request
-        attributes. (schultz)
+        logging, making the latest nonce available in the request attributes,
+        and allowing the CSRF nonce request parameter name to be customized.
+        (schultz)
       </add>
     </changelog>
   </subsection>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org