You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by sc...@apache.org on 2019/11/19 17:55:15 UTC
[tomcat] branch master updated: Allow customization of the CSRF
prevention filter's request parameter name.
This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 707e194 Allow customization of the CSRF prevention filter's request parameter name.
707e194 is described below
commit 707e1949cb4a9b7dc1430a41e28b8c72675dcced
Author: Christopher Schultz <ch...@christopherschultz.net>
AuthorDate: Tue Nov 19 12:54:45 2019 -0500
Allow customization of the CSRF prevention filter's request parameter name.
---
.../catalina/filters/CsrfPreventionFilter.java | 24 +++++++++++++++++-----
webapps/docs/changelog.xml | 5 +++--
2 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index 8aace6b..8a09cfb 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -53,6 +53,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
private int nonceCacheSize = 5;
+ private String nonceRequestParameterName = Constants.CSRF_NONCE_REQUEST_PARAM;
+
/**
* Entry points are URLs that will not be tested for the presence of a valid
* nonce. They are used to provide a way to navigate back to a protected
@@ -83,6 +85,16 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
this.nonceCacheSize = nonceCacheSize;
}
+ /**
+ * Sets the request parameter name to use for CSRF nonces.
+ *
+ * @param parameterName The request parameter name to use
+ * for CSRF nonces.
+ */
+ public void setNonceRequestParameterName(String parameterName) {
+ this.nonceRequestParameterName = parameterName;
+ }
+
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// Set the parameters
@@ -91,7 +103,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
// Put the expected request parameter name into the application scope
filterConfig.getServletContext().setAttribute(
Constants.CSRF_NONCE_REQUEST_PARAM_NAME_KEY,
- Constants.CSRF_NONCE_REQUEST_PARAM);
+ nonceRequestParameterName);
// Put the expected request header name into the application scope
filterConfig.getServletContext().setAttribute(
@@ -131,7 +143,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
if (!skipNonceCheck) {
String previousNonce =
- req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
+ req.getParameter(nonceRequestParameterName);
if(previousNonce == null) {
if(log.isDebugEnabled()) {
@@ -196,7 +208,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
// requiring the use of response.encodeURL.
request.setAttribute(Constants.CSRF_NONCE_REQUEST_ATTR_NAME, newNonce);
- wResponse = new CsrfResponseWrapper(res, newNonce);
+ wResponse = new CsrfResponseWrapper(res, nonceRequestParameterName, newNonce);
} else {
wResponse = response;
}
@@ -208,10 +220,12 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
protected static class CsrfResponseWrapper
extends HttpServletResponseWrapper {
+ private final String nonceRequestParameterName;
private final String nonce;
- public CsrfResponseWrapper(HttpServletResponse response, String nonce) {
+ public CsrfResponseWrapper(HttpServletResponse response, String nonceRequestParameterName, String nonce) {
super(response);
+ this.nonceRequestParameterName = nonceRequestParameterName;
this.nonce = nonce;
}
@@ -266,7 +280,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
} else {
sb.append('?');
}
- sb.append(Constants.CSRF_NONCE_REQUEST_PARAM);
+ sb.append(nonceRequestParameterName);
sb.append('=');
sb.append(nonce);
sb.append(anchor);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 42dbde9..84377f6 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -53,8 +53,9 @@
</fix>
<add>
Improvements to CsrfPreventionFilter including additional
- logging and making the latest nonce available in the request
- attributes. (schultz)
+ logging, making the latest nonce available in the request attributes,
+ and allowing the CSRF nonce request parameter name to be customized.
+ (schultz)
</add>
</changelog>
</subsection>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org