[tomcat] 04/06: Allow customization of the CSRF prevention filter's request parameter name.

schultz Wed, 20 Nov 2019 11:20:54 -0800

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


View the commit online:
https://github.com/apache/tomcat/commit/856a2e2482fde9e8c8d0535942a70c2ddfc8d676

commit 856a2e2482fde9e8c8d0535942a70c2ddfc8d676
Author: Christopher Schultz <ch...@christopherschultz.net>
AuthorDate: Tue Nov 19 12:54:45 2019 -0500

    Allow customization of the CSRF prevention filter's request parameter name.
---
 .../catalina/filters/CsrfPreventionFilter.java     | 24 +++++++++++++++++-----
 webapps/docs/changelog.xml                         |  5 +++--
 2 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java 
b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index cd1b576..fe4399f 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -53,6 +53,8 @@ public class CsrfPreventionFilter extends 
CsrfPreventionFilterBase {
 
     private int nonceCacheSize = 5;
 
+    private String nonceRequestParameterName = 
Constants.CSRF_NONCE_REQUEST_PARAM;
+
     /**
      * Entry points are URLs that will not be tested for the presence of a 
valid
      * nonce. They are used to provide a way to navigate back to a protected
@@ -83,6 +85,16 @@ public class CsrfPreventionFilter extends 
CsrfPreventionFilterBase {
         this.nonceCacheSize = nonceCacheSize;
     }
 
+    /**
+     * Sets the request parameter name to use for CSRF nonces.
+     *
+     * @param parameterName The request parameter name to use
+     *        for CSRF nonces.
+     */
+    public void setNonceRequestParameterName(String parameterName) {
+        this.nonceRequestParameterName = parameterName;
+    }
+
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
         // Set the parameters
@@ -91,7 +103,7 @@ public class CsrfPreventionFilter extends 
CsrfPreventionFilterBase {
         // Put the expected request parameter name into the application scope
         filterConfig.getServletContext().setAttribute(
                 Constants.CSRF_NONCE_REQUEST_PARAM_NAME_KEY,
-                Constants.CSRF_NONCE_REQUEST_PARAM);
+                nonceRequestParameterName);
 
         // Put the expected request header name into the application scope
         filterConfig.getServletContext().setAttribute(
@@ -131,7 +143,7 @@ public class CsrfPreventionFilter extends 
CsrfPreventionFilterBase {
 
             if (!skipNonceCheck) {
                 String previousNonce =
-                    req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
+                    req.getParameter(nonceRequestParameterName);
 
                 if(previousNonce == null) {
                     if(log.isDebugEnabled()) {
@@ -196,7 +208,7 @@ public class CsrfPreventionFilter extends 
CsrfPreventionFilterBase {
             // requiring the use of response.encodeURL.
             request.setAttribute(Constants.CSRF_NONCE_REQUEST_ATTR_NAME, 
newNonce);
 
-            wResponse = new CsrfResponseWrapper(res, newNonce);
+            wResponse = new CsrfResponseWrapper(res, 
nonceRequestParameterName, newNonce);
         } else {
             wResponse = response;
         }
@@ -208,10 +220,12 @@ public class CsrfPreventionFilter extends 
CsrfPreventionFilterBase {
     protected static class CsrfResponseWrapper
             extends HttpServletResponseWrapper {
 
+        private final String nonceRequestParameterName;
         private final String nonce;
 
-        public CsrfResponseWrapper(HttpServletResponse response, String nonce) 
{
+        public CsrfResponseWrapper(HttpServletResponse response, String 
nonceRequestParameterName, String nonce) {
             super(response);
+            this.nonceRequestParameterName = nonceRequestParameterName;
             this.nonce = nonce;
         }
 
@@ -268,7 +282,7 @@ public class CsrfPreventionFilter extends 
CsrfPreventionFilterBase {
             } else {
                 sb.append('?');
             }
-            sb.append(Constants.CSRF_NONCE_REQUEST_PARAM);
+            sb.append(nonceRequestParameterName);
             sb.append('=');
             sb.append(nonce);
             sb.append(anchor);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index eac584a..bc0da19 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -49,8 +49,9 @@
     <changelog>
       <add>
         Improvements to CsrfPreventionFilter including additional
-        logging and making the latest nonce available in the request
-        attributes. (schultz)
+        logging, making the latest nonce available in the request attributes,
+        and allowing the CSRF nonce request parameter name to be customized.
+        (schultz)
       </add>
     </changgelog>
   </subsection>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 04/06: Allow customization of the CSRF prevention filter's request parameter name.

Reply via email to