Skip to content

Avoid adding multiple CSRF tokens to a URL #923

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Avoid adding multiple CSRF tokens to a URL #923

wants to merge 5 commits into from
+190 −0

Conversation

@ChristopherSchultz
Copy link
Contributor

@ChristopherSchultz ChristopherSchultz commented Nov 19, 2025

The unit tests describe the problem: if a URL already contains a CSRF token and that URL is passed through HttpServletResponse.encode(Redirect)URL, then the URL will end up with multiple instances of a CSRF token.

This patch removes those extra instances should they exist.

@ChristopherSchultz
Copy link
Contributor Author

ChristopherSchultz commented Nov 19, 2025

There is a bug in this code. For the URL /foo/bar?xcsrf=&xcsrf&xcsrf&xcsrf&xcsrf=abc&xcsrf= it will enter an infinite loop.

@ChristopherSchultz
Copy link
Contributor Author

ChristopherSchultz commented Nov 19, 2025

It also will incorrectly identify parameters which end with the parameter name (e.g. xcsrf).

@ChristopherSchultz
Process parameters in a more straightforward way
e2b032b 
This fixes incorrect matching of parameters whose names *end with* the CSRF token name
The code is arguably easier to read
@ChristopherSchultz
Code style whitespace ; no functional change
41ed18a
@ChristopherSchultz
Copy link
Contributor Author

ChristopherSchultz commented Nov 19, 2025

All fixed with recent commits. Ready for review.

@rmaucher
Copy link
Contributor

rmaucher commented Nov 20, 2025

Remove the commented out System.outs ;)

markt-asf
markt-asf reviewed Nov 20, 2025
View reviewed changes
test/org/apache/catalina/filters/TestCsrfPreventionFilter.java

}

private static String dumbButAccurateCleanse(String url, String csrfParameterName) {
Copy link
Contributor

@markt-asf markt-asf Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't handle /foo/bar?bar=fo?&csrf=abc correctly but the actual CSRF code does so not a big deal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@markt-asf markt-asf markt-asf left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ChristopherSchultz @rmaucher @markt-asf