https://bz.apache.org/bugzilla/show_bug.cgi?id=65853
--- Comment #15 from Marvin Fröhlich <apa...@froehlich-mail.net> --- I have now integrated your new version of CsrfPreventionFilter as base to our filter class. And it tuned out, that there are some minor things missing, that will prevent us from using the class as it is now. For one there is no need to call getNonceCache(req), if both skipNonceCheck(req) and skipNonceGeneration(req) return true. For us is is actually malicious, because in these cases a new cache instance is created, that hurts later. I suggest to skip the block 166 to 180, if both extension points return true. And much less minor: If skipNonceGeneration(req) is true, wRequest remains null and is later passed into chain.doFilter(request, wRequest). It must fallback to response in this case. Maybe it wouldn't hurt to change line 204 like this: chain.doFilter(request, wResponse != null ? wResponse : response); Or, if you have some standard ifNull() of ours, use that. Then of course current 200-201 could be dropped. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
