You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/11/25 19:13:15 UTC
[tomcat] branch 8.5.x updated: Add debug logging. Based on a PR by Polina Georgieva
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 130e832 Add debug logging. Based on a PR by Polina Georgieva
130e832 is described below
commit 130e832a816b1d6131ebbabaa4fc3d8c1bf6dbba
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Nov 25 19:02:35 2021 +0000
Add debug logging. Based on a PR by Polina Georgieva
---
.../catalina/filters/LocalStrings.properties | 3 +++
.../catalina/filters/RestCsrfPreventionFilter.java | 30 ++++++++++++++++------
webapps/docs/changelog.xml | 4 +++
3 files changed, 29 insertions(+), 8 deletions(-)
diff --git a/java/org/apache/catalina/filters/LocalStrings.properties b/java/org/apache/catalina/filters/LocalStrings.properties
index 5877b76..31f7bd0 100644
--- a/java/org/apache/catalina/filters/LocalStrings.properties
+++ b/java/org/apache/catalina/filters/LocalStrings.properties
@@ -62,7 +62,10 @@ remoteIpFilter.invalidRemoteAddress=Unable to determine the remote host because
requestFilter.deny=Denied request for [{0}] based on property [{1}]
+restCsrfPreventionFilter.fetch.debug=CSRF Fetch request is successfully handled - nonce is added to the response. Request method: [{0}] and URI [{1}].
restCsrfPreventionFilter.invalidNonce=CSRF nonce validation failed
+restCsrfPreventionFilter.invalidNonce.debug=CSRF validation for REST failed! Request with method [{0}] and URI [{1}] will be rejected. Details: request has session ID [{2}]; requested session exists [{3}]; csrf nonce in request exists [{4}]; csrf nonce in session exists [{5}].
+restCsrfPreventionFilter.multipleNonce.debug=Different CSRF nonces are sent as request parameters, none of them will be used. Request method: [{0}] and URI [{1}].
webDavFilter.xpProblem=WebdavFixFilter: the XP-x64-SP2 client is known not to work with WebDAV Servlet
webDavFilter.xpRootContext=WebdavFixFilter: the XP-x64-SP2 client will only work with the root context
diff --git a/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java b/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java
index 4fd6efc..66d3ea9 100644
--- a/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java
@@ -155,17 +155,24 @@ public class RestCsrfPreventionFilter extends CsrfPreventionFilterBase {
@Override
public boolean apply(HttpServletRequest request, HttpServletResponse response)
throws IOException {
- if (isValidStateChangingRequest(
- extractNonceFromRequest(request),
- extractNonceFromSession(request.getSession(false),
- Constants.CSRF_REST_NONCE_SESSION_ATTR_NAME))) {
+
+ String nonceRequest = extractNonceFromRequest(request);
+ HttpSession session = request.getSession(false);
+ String nonceSession = extractNonceFromSession(session, Constants.CSRF_REST_NONCE_SESSION_ATTR_NAME);
+
+ if (isValidStateChangingRequest(nonceRequest, nonceSession)) {
return true;
}
storeNonceToResponse(response, Constants.CSRF_REST_NONCE_HEADER_NAME,
Constants.CSRF_REST_NONCE_HEADER_REQUIRED_VALUE);
- response.sendError(getDenyStatus(),
- sm.getString("restCsrfPreventionFilter.invalidNonce"));
+ response.sendError(getDenyStatus(), sm.getString("restCsrfPreventionFilter.invalidNonce"));
+
+ if (getLogger().isDebugEnabled()) {
+ getLogger().debug(sm.getString("restCsrfPreventionFilter.invalidNonce.debug", request.getMethod(),
+ request.getRequestURI(), Boolean.valueOf(request.getRequestedSessionId() != null),
+ session, Boolean.valueOf(nonceRequest != null), Boolean.valueOf(nonceSession != null)));
+ }
return false;
}
@@ -186,12 +193,15 @@ public class RestCsrfPreventionFilter extends CsrfPreventionFilterBase {
}
private String extractNonceFromRequestParams(HttpServletRequest request) {
- String[] params = extractNonceFromRequestParams(request,
- Constants.CSRF_REST_NONCE_HEADER_NAME);
+ String[] params = extractNonceFromRequestParams(request, Constants.CSRF_REST_NONCE_HEADER_NAME);
if (params != null && params.length > 0) {
String nonce = params[0];
for (String param : params) {
if (!Objects.equals(param, nonce)) {
+ if (getLogger().isDebugEnabled()) {
+ getLogger().debug(sm.getString("restCsrfPreventionFilter.multipleNonce.debug",
+ request.getMethod(), request.getRequestURI()));
+ }
return null;
}
}
@@ -217,6 +227,10 @@ public class RestCsrfPreventionFilter extends CsrfPreventionFilterBase {
}
storeNonceToResponse(response, Constants.CSRF_REST_NONCE_HEADER_NAME,
nonceFromSessionStr);
+ if (getLogger().isDebugEnabled()) {
+ getLogger().debug(sm.getString("restCsrfPreventionFilter.fetch.debug",
+ request.getMethod(), request.getRequestURI()));
+ }
}
return true;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9ee926b..2c0685f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -128,6 +128,10 @@
<code>org.apache.juli.AsyncLoggerPollInterval</code>. If set, this
property now has no effect. (markt)
</update>
+ <add>
+ Add debug logging to the <code>RestCsrfPreventionFilter</code>. Based on
+ pull request <pr>452</pr> by Polina Georgieva. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org