Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LocaleChangeInterceptor not protected against CSRF [SPR-13032] #17624

Closed
spring-issuemaster opened this issue May 15, 2015 · 2 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link
Collaborator

commented May 15, 2015

Mark Janssen opened SPR-13032 and commented

When Spring Security CSRF protection is enabled, all POST requests are protected against CSRF. Logout requests are made HTTP POST-only to prevent against malicious logouts.

The LocaleChangeInterceptor also changes the user's (session) state, but is not protected against CSRF by default. In addition, there is no configuration option available to make it POST-only.


Affects: 4.1.6

Issue Links:

  • #21241 CookieLocaleResolver is not RFC6265 compliant when setting a locale and time zone
  • #14091 Better handling of illegal locale values in LocaleChangeInterceptor

Referenced from: commits 90d5428, 0dd320f

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented May 18, 2015

Rossen Stoyanchev commented

I've added an httpMethods property to LocalChangeInterceptor.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented May 22, 2015

Mark Janssen commented

Cheers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.