Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New CSRF parser in 4.7.x broken for CSRF tokens via multipart/form-data encoded forms #2135

Closed
3 tasks done
wneessen opened this issue Mar 15, 2022 · 0 comments
Closed
3 tasks done

Comments

@wneessen
Copy link

Issue Description

When I updated a project where echo is used from 4.6.3 to 4.71 today, I wasn't able to log into the system anymore when CSRF validation was enabled. After digging around a bit, it seems that 4.7.1. brings new CSRF validation code (see: #2060) and apparently the validation for CSRF tokens via multipart/form-data encoded forms broke.

Digging a little deeper my suspision is, that the error is within https://github.com/labstack/echo/blob/master/middleware/extractor.go#L171. There it calls c.Request().ParseForm() which I believe does not consider forms that use multipart/form-data encoding.

I suggest to remove the c.Request().ParseForm() part and instead make use of net/http.FormValue() which will call ParseMultipartForm and ParseForm by itself and return the corresponding value.

Checklist

  • Dependencies installed
  • No typos
  • Searched existing issues and docs

Expected behaviour

middleware.CSRF to parse multipart/form-data encoded forms as well as application/x-www-form-urlencoded encoded forms

Actual behaviour

middleware.CSRF does not work with multipart/form-data encoded forms.

Steps to reproduce

  • Create a form with multipart/form-data encoding.
  • Include the CSRF token in the form
  • Enable CSRF middleware in your echo application
  • Try to validate the token using the middle

Working code to debug

Version/commit

4.7.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant