Skip to content

Commit

Permalink
Validate that X-XSRF-Token and X-XSRF-Token cookie are the same - fixes
Browse files Browse the repository at this point in the history
#970

(cherry picked from commit 482bc72)

(cherry picked from commit f42b193)
  • Loading branch information
bernard-wagner authored and pmlopes committed Jul 12, 2018
1 parent e7c4460 commit 98891b1
Showing 1 changed file with 4 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -106,9 +106,9 @@ private String generateToken() {
return saltPlusToken + "." + signature;
}

private boolean validateToken(String header) {
private boolean validateToken(String header, String cookie) {

if (header == null) {
if (header == null || cookie == null || !header.equals(cookie)) {
return false;
}

Expand Down Expand Up @@ -168,7 +168,8 @@ public void handle(RoutingContext ctx) {
case DELETE:
case PATCH:
final String header = ctx.request().getHeader(headerName);
if (validateToken(header == null ? ctx.request().getFormAttribute(headerName) : header)) {
final String cookie = ctx.getCookie(cookieName).getValue();
if (validateToken(header == null ? ctx.request().getFormAttribute(headerName) : header, cookie)) {
ctx.next();
} else {
forbidden(ctx);
Expand Down

0 comments on commit 98891b1

Please sign in to comment.