Merge pull request #35301 from gastaldi/csrf_fix

quarkusio · Aug 15, 2023 · 71ecb45 · 71ecb45
2 parents e6391b6 + 3c69443
commit 71ecb45
Showing 1 changed file with 15 additions and 5 deletions.
diff --git a/...ime/src/main/java/io/quarkus/csrf/reactive/runtime/CsrfRequestResponseReactiveFilter.java b/...ime/src/main/java/io/quarkus/csrf/reactive/runtime/CsrfRequestResponseReactiveFilter.java
@@ -97,15 +97,16 @@ public void filter(ResteasyReactiveContainerRequestContext requestContext, Routi
         } else if (config.verifyToken) {
             // unsafe HTTP method, token is required
 
-            if (!isMatchingMediaType(requestContext.getMediaType(), MediaType.APPLICATION_FORM_URLENCODED_TYPE)
-                    && !isMatchingMediaType(requestContext.getMediaType(), MediaType.MULTIPART_FORM_DATA_TYPE)) {
+            MediaType mediaType = requestContext.getMediaType();
+            if (!isMatchingMediaType(mediaType, MediaType.APPLICATION_FORM_URLENCODED_TYPE)
+                    && !isMatchingMediaType(mediaType, MediaType.MULTIPART_FORM_DATA_TYPE)) {
                 if (config.requireFormUrlEncoded) {
-                    LOG.debugf("Request has the wrong media type: %s", requestContext.getMediaType().toString());
+                    LOG.debugf("Request has the wrong media type: %s", mediaType);
                     requestContext.abortWith(badClientRequest());
                     return;
                 } else {
-                    LOG.debugf("Request has the  media type: %s, skipping the token verification",
-                            requestContext.getMediaType().toString());
+                    LOG.debugf("Request has the media type: %s, skipping the token verification",
+                            mediaType);
                     return;
                 }
             }
@@ -148,7 +149,16 @@ public void filter(ResteasyReactiveContainerRequestContext requestContext, Routi
         }
     }
 
+    /**
+     * Compares if {@link MediaType} matches the expected type.
+     * <p>
+     * Note: isCompatible is taking wildcards, which is why we individually compare types and subtypes,
+     * so if someone sends a <code>Content-Type: *</code> it will be marked as compatible which is a problem
+     */
     private static boolean isMatchingMediaType(MediaType contentType, MediaType expectedType) {
+        if (contentType == null) {
+            return (expectedType == null);
+        }
         return contentType.getType().equals(expectedType.getType())
                 && contentType.getSubtype().equals(expectedType.getSubtype());
     }