Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Make regex to find cookie value more restrictive (#138)
The Javascript library searches `document.cookie` to find the CSRF token value associated with the cookie named after the constant `CSRFP_TOKEN` (in practice, this is `csrfp_token`). However, the regex does not define what values may precede the token's name, meaning that a cookie such as `BNES_csrfp_token` (as was set by the Barracuda WAF) set on the same domain can be erroneously picked up instead of the correct `csrfp_token` value. This commit restricts the regex to only match if it is preceded by either the start of the string (i.e. nothing) or a semicolon followed by (a) any amount of whitespace, or (b) nothing, followed by the cookie's name. This allows it to match if it is the only/first cookie in `document.cookie` as well as if it follows another cookie in `document.cookie`.
- Loading branch information
1 parent
cbd7f63
commit df629c8
df629c8There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's a missing backslash before 's' which makes the regexp fail if token is not at the start of the string.
IMHO this line should look like follows:
var regex = new RegExp(
(?:^|;\\s*)${CSRFP.CSRFP_TOKEN}=([^;]+)(;|$));df629c8There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also had an issue with this line as well. I added a backslash to fix the issue just as pdziuba stated.