-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF not working on POST actions that require no form parameters #29763
Comments
Hi Steph, well, we have now removed vertx handling it, CSRF feature is now a |
/cc @sberyozkin |
The ironic thing is that with |
OK, it's merged. Hope it's enough to get this fixed quickly :) |
Thanks @FroMage I'll have a look soon, should be simple enough :-) (we can always migrate back to the filter if there will be a real need for it, having it as a handler right now seems OK) |
Well, there's no way to make a handler force the form being read. I could add it, but I'm not sure we have to, because we made this a handler precisely to bypass the limitation that I removed on filters. |
@FroMage Are you saying we have to go back to https://github.com/quarkusio/quarkus/blob/2.14.3.Final/extensions/csrf-reactive/runtime/src/main/java/io/quarkus/csrf/reactive/runtime/CsrfRequestResponseReactiveFilter.java, and add quarkus/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcUtils.java Line 490 in c78fd2c
|
Steph, may be I'm missing something, please clarify what kind of fix you expect |
Yes, that's what I mean, except you don't have to read the form yourself it will always be read before your filter. |
@FroMage I see what you mean, I was wondering how to access form parameters, I see it there, https://github.com/quarkusio/quarkus/pull/29825/files#diff-17360eebd1bfeec18218337a7ce737d98943bd55df9d940243051645053bd5ceR108. |
Describe the bug
I'm pretty sure this is related to the problem I had in #22444 where the body was not read if the endpoint didn't have a single
@RestForm
parameter.If your endpoint doesn't have any
@RestForm
or@FormParam
parameter, RESTEasy Reactive doesn't add the body filter that reads the form parameters (urlencoded or multipart) and so the CSRF filter can't work:This currently prevents using the CSRF filter in any application that doesn't need form parameters, except for the CSRF token one. So it should be fixed in 2.15 (because I don't think the CSRF handler fix was backported to 2.14 so it doesn't work there anyway, unless i'm mistaken).
CC @sberyozkin
Expected behavior
No response
Actual behavior
No response
How to Reproduce?
No response
Output of
uname -a
orver
No response
Output of
java -version
No response
GraalVM version (if different from Java)
No response
Quarkus version or git rev
No response
Build tool (ie. output of
mvnw --version
orgradlew --version
)No response
Additional information
No response
The text was updated successfully, but these errors were encountered: