Examples should limit requests to POST #90
Assignees
Labels
Comments
|
Good point. If you are mutating resources based on path alone, you are
likely in a world of pain anyway, but I’m all for helping people towards
safety.
…On Wed, Jun 20, 2018 at 8:08 AM dogben ***@***.***> wrote:
In the examples in the documentation at
https://github.com/gorilla/csrf/blob/master/README.md and
https://github.com/gorilla/csrf/blob/master/doc.go, the handlers do not
check that the request method is POST (or other modification request types).
According to the documentation, this package "[o]perates on a 'whitelist
only' approach where safe (non-mutating) HTTP methods (GET, HEAD, OPTIONS,
TRACE) are the only methods where token validation is not enforced."
However, the method used is decided by the client, so unless the server
disallows these whitelisted requests, the CSRF protection can be bypassed
by changing the method to a GET.
E.g. with the attached example:
go run csrf-example.go&
curl -X GET http://localhost:8000/delete/foo
You've passed the CSRF check!
Deleting foo
Perhaps people should know that they need to check the request method when
there's no body, but it would be good to remind people of this by including
the check in the examples for this package.
csrf-example.txt
<https://github.com/gorilla/csrf/files/2119897/csrf-example.txt>
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#90>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AABIcDnS3v0QBEpH7TwEnPRuPbeT3owTks5t-mVsgaJpZM4Uvdi0>
.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the examples in the documentation at https://github.com/gorilla/csrf/blob/master/README.md and https://github.com/gorilla/csrf/blob/master/doc.go, the handlers do not check that the request method is POST (or other modification request types).
According to the documentation, this package "[o]perates on a 'whitelist only' approach where safe (non-mutating) HTTP methods (GET, HEAD, OPTIONS, TRACE) are the only methods where token validation is not enforced." However, the method used is decided by the client, so unless the server disallows these whitelisted requests, the CSRF protection can be bypassed by changing the method to a GET.
E.g. with the attached example:
Perhaps people should know that they need to check the request method when there's no body, but it would be good to remind people of this by including the check in the examples for this package.
csrf-example.txt
The text was updated successfully, but these errors were encountered: