-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NullPointerException when using JSP Tags and the CSRFGuard is disabled. #21
Comments
Thank you @alexhatz05. Very well written description of the issue! The PR will be accepted after the minor changes that were requested. Is the issue also reproducible in the test application? |
Fixed by #20 |
I've created a new patch version release (https://github.com/OWASP/www-project-csrfguard/releases/tag/4.0.1) with your changes. It will soon be available on Maven central as well. Thank you for your contribution. |
neither 4.0.1 nor 4.1.0 is available on maven central, right? |
@kguelzau |
Hello,
[Bug Description]
I am using CSRFGuard JSP Tag libraries in a Java EE project (Java 8). I recently faced the following issue: when I have to set the org.owasp.csrfguard.Enabled property to false, then a Null Pointer Exception is thrown and my application fails to load.
I checked the code of the respective JSP Tags and noticed that there is no check to see if the CSRFGuard is enabled before proceeding with the token injection. After debugging I found that the following line throwsthe exception:
final LogicalSession logicalSession = csrfGuard.getLogicalSessionExtractor().extract((HttpServletRequest) this.pageContext.getRequest());
[To Reproduce]
Steps to reproduce the behavior:
[Expected behavior]
Due to practical reasons, I deem necessary to find a solution so that the application using CSRFGuard tags would not be impacted by CSRF functionality when the guard is disabled.
[Environment]
[Solution that worked for me]
If you would like to consider my solution, I have submitted a Pull Request with the branch check_if_enabled_before_injecting_with_tag which contains a simple solution by checking if the CSRFGuard is enabled before proceeding with the logic. I have done this for TokenTag, TokenNameTag, TokenValueTag.
The text was updated successfully, but these errors were encountered: