Spring-security: Fix non-standard HTTP method for CsrfWebFilter

Created on 19 Mar 2020  路  5Comments  路  Source: spring-projects/spring-security

I expected the matcher to not trigger NPE's (resulting in HTTP 500's) but rather choosing to match or not for unknown methods.

This line triggers the NPE as getMethod returns null for any unmappable method string.
https://github.com/spring-projects/spring-security/blob/06fdb83fb89840c511b2bc46f72b7c49229c9dab/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java#L190

web duplicate bug
Source
picture Robbert1

All 5 comments

Thanks for the report @Robbert1.
Would you be interested in submitting a PR?

eleftherias picture eleftherias on 19 Mar 2020

@eleftherias @rwinch how is it for contribution? I can look into it.

parikshitdutta picture parikshitdutta on 15 Apr 2020
🎉1

Thanks for the offer @parikshitdutta. The issue is yours!

eleftherias picture eleftherias on 15 Apr 2020
👍1

Hi @eleftherias @rwinch, Please take a look at PR #8452, or Please assign it to respective reviewer.

Thank you.

parikshitdutta picture parikshitdutta on 1 May 2020

Closed in favor of gh-8452

rwinch picture rwinch on 12 May 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

xingfudeshi picture xingfudeshi  路  3Comments
spring-issuemaster picture spring-issuemaster  路  3Comments
joshlong picture joshlong  路  3Comments
silentsnooc picture silentsnooc  路  3Comments
unlimitedsola picture unlimitedsola  路  4Comments