You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by sc...@apache.org on 2019/11/16 15:58:13 UTC
[tomcat] branch 8.5.x updated: Improve CSRF prevention filter by
exposing the request's current nonce to the request.
This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 8c143ab Improve CSRF prevention filter by exposing the request's current nonce to the request.
8c143ab is described below
commit 8c143abae26f9b0c49b233c3e7a9cb6cc5b1b0ed
Author: Christopher Schultz <ch...@christopherschultz.net>
AuthorDate: Sat Nov 16 10:54:36 2019 -0500
Improve CSRF prevention filter by exposing the request's current nonce to the request.
---
java/org/apache/catalina/filters/Constants.java | 33 ++++++++++++++++++++++
.../catalina/filters/CsrfPreventionFilter.java | 5 ++++
.../catalina/filters/CsrfPreventionFilterBase.java | 10 +++++++
3 files changed, 48 insertions(+)
diff --git a/java/org/apache/catalina/filters/Constants.java b/java/org/apache/catalina/filters/Constants.java
index 4fe41cd..87dd6c4 100644
--- a/java/org/apache/catalina/filters/Constants.java
+++ b/java/org/apache/catalina/filters/Constants.java
@@ -25,12 +25,34 @@ package org.apache.catalina.filters;
*/
public final class Constants {
+ /**
+ * The session attribute key under which the CSRF nonce
+ * cache will be stored.
+ */
public static final String CSRF_NONCE_SESSION_ATTR_NAME =
"org.apache.catalina.filters.CSRF_NONCE";
+ /**
+ * The request attribute key under which the current
+ * requests's CSRF nonce can be found.
+ */
+ public static final String CSRF_NONCE_REQUEST_ATTR_NAME =
+ "org.apache.catalina.filters.CSRF_REQUEST_NONCE";
+
+ /**
+ * The name of the request parameter which carries CSRF nonces
+ * from the client to the server for validation.
+ */
public static final String CSRF_NONCE_REQUEST_PARAM =
"org.apache.catalina.filters.CSRF_NONCE";
+ /**
+ * The servlet context attribute key under which the
+ * CSRF request parameter name can be found.
+ */
+ public static final String CSRF_NONCE_REQUEST_PARAM_NAME_KEY =
+ "org.apache.catalina.filters.CSRF_NONCE_PARAM_NAME";
+
public static final String METHOD_GET = "GET";
public static final String CSRF_REST_NONCE_HEADER_NAME = "X-CSRF-Token";
@@ -39,6 +61,17 @@ public final class Constants {
public static final String CSRF_REST_NONCE_HEADER_REQUIRED_VALUE = "Required";
+ /**
+ * The session attribute key under which the CSRF REST nonce
+ * cache will be stored.
+ */
public static final String CSRF_REST_NONCE_SESSION_ATTR_NAME =
"org.apache.catalina.filters.CSRF_REST_NONCE";
+
+ /**
+ * The servlet context attribute key under which the
+ * CSRF REST header name can be found.
+ */
+ public static final String CSRF_REST_NONCE_HEDAER_NAME_KEY =
+ "org.apache.catalina.filters.CSRF_REST_NONCE_HEADER_NAME";
}
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index 6833ed4..e09bdea 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -128,6 +128,11 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
nonceCache.add(newNonce);
+ // Take this request's nonce and put it into the request
+ // attributes so pages can make direct use of it, rather than
+ // requiring the use of response.encodeURL.
+ request.setAttribute(Constants.CSRF_NONCE_REQUEST_ATTR_NAME, newNonce);
+
wResponse = new CsrfResponseWrapper(res, newNonce);
} else {
wResponse = response;
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java b/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java
index c0083f0..8d401af 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java
@@ -78,6 +78,16 @@ public abstract class CsrfPreventionFilterBase extends FilterBase {
// Set the parameters
super.init(filterConfig);
+ // Put the expected request parameter name into the application scope
+ filterConfig.getServletContext().setAttribute(
+ Constants.CSRF_NONCE_REQUEST_PARAM_NAME_KEY,
+ Constants.CSRF_NONCE_REQUEST_PARAM);
+
+ // Put the expected request header name into the application scope
+ filterConfig.getServletContext().setAttribute(
+ Constants.CSRF_REST_NONCE_HEDAER_NAME_KEY,
+ Constants.CSRF_REST_NONCE_HEADER_NAME);
+
try {
Class<?> clazz = Class.forName(randomClass);
randomSource = (Random) clazz.getConstructor().newInstance();
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org