Android-SingleSignOn icon indicating copy to clipboard operation
Android-SingleSignOn copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

Handle `QueryParam` with key "`c`"

Open stefan-niedermann opened this issue 4 years ago • 3 comments

Issue

Given one adds a QueryParam with the key c, the backend will respond with HTTP 400 as this parameter is reserved for CSRF protection.

Options

Don't handle at all

This leads to a HTTP 400 response with a stacktrace that is quite hard to understand (status quo)

Log warning

If the user actually knows what he does and wants to add this parameter, we don't block him but still are visible in case he wonders why something fails.

Throw meaningful Exception

One could assume that it is simply wrong to add this parameter and throw a meaningful Exception. This is a breaking change and can be a potential issue in case the user really wants to do this for some reason.

Looking forward for opinions :slightly_smiling_face: PS.: This issue has been split out of #266

stefan-niedermann avatar Nov 17 '21 11:11 stefan-niedermann

Is this not also a problem for a regular http call directly to server, without SSO?

tobiasKaminsky avatar Nov 19 '21 06:11 tobiasKaminsky

Yes, it is.

stefan-niedermann avatar Nov 19 '21 06:11 stefan-niedermann

Then we, as in SSO, do not need to deal with it, right?

tobiasKaminsky avatar Nov 19 '21 09:11 tobiasKaminsky

Right.

stefan-niedermann avatar May 20 '23 13:05 stefan-niedermann