tomcat icon indicating copy to clipboard operation
tomcat copied to clipboard
verified publisher icon apache

Avoid adding multiple CSRF tokens to a URL

Open ChristopherSchultz opened this issue 1 month ago • 5 comments

The unit tests describe the problem: if a URL already contains a CSRF token and that URL is passed through HttpServletResponse.encode(Redirect)URL, then the URL will end up with multiple instances of a CSRF token.

This patch removes those extra instances should they exist.

ChristopherSchultz avatar Nov 19 '25 15:11 ChristopherSchultz

There is a bug in this code. For the URL /foo/bar?xcsrf=&xcsrf&xcsrf&xcsrf&xcsrf=abc&xcsrf= it will enter an infinite loop.

ChristopherSchultz avatar Nov 19 '25 16:11 ChristopherSchultz

It also will incorrectly identify parameters which end with the parameter name (e.g. xcsrf).

ChristopherSchultz avatar Nov 19 '25 16:11 ChristopherSchultz

All fixed with recent commits. Ready for review.

ChristopherSchultz avatar Nov 19 '25 19:11 ChristopherSchultz

Remove the commented out System.outs ;)

rmaucher avatar Nov 20 '25 09:11 rmaucher

Remove the commented out System.outs ;)

Done!

ChristopherSchultz avatar Dec 12 '25 14:12 ChristopherSchultz