https://bz.apache.org/bugzilla/show_bug.cgi?id=65853
Bug ID: 65853
Summary: [CsrfPreventionFilter] Extract evaluation of
skipNonceCheck into overridable method
Product: Tomcat 9
Version: 9.0.54
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: apa...@froehlich-mail.net
Target Milestone: -----
Currently evaluation of skipNonceCheck is inlined into big doFilter() method.
If I want to change behavior of this evaluation (enabling use of wildcards) I
have to copy the whole class or at least the whole doFilter() method and
reimplement it. If changes are made to the code, I have to reflect these
changes in my copy. Bad idea!
I suggest to extract this code into a separate method with at least protected
visibility.
####################
if (Constants.METHOD_GET.equals(req.getMethod())
&& entryPoints.contains(getRequestedPath(req))) {
if(log.isTraceEnabled()) {
log.trace("Skipping CSRF nonce-check for GET request to
entry point " + getRequestedPath(req));
}
skipNonceCheck = true;
}
####################
Like this:
####################
protected boolean getSkipNonceCheck(HttpServletRequest request) throws
IOException, ServletException {
if (!Constants.METHOD_GET.equals(request.getMethod()))
return true;
if (!entryPoints.contains(getRequestedPath(request)))
return false;
return true;
}
####################
doFilter()
####################
...
if (getSkipNonce(req)) {
if(log.isTraceEnabled()) {
log.trace("Skipping CSRF nonce-check for GET request to entry point " +
getRequestedPath(req));
}
skipNonceCheck = true;
}
...
####################
Maybe some other details would deserve to be in their own (overridable) methods
as well.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
