diff options
Diffstat (limited to 'archives/extend/2013-April/000111.html')
-rw-r--r-- | archives/extend/2013-April/000111.html | 165 |
1 files changed, 165 insertions, 0 deletions
diff --git a/archives/extend/2013-April/000111.html b/archives/extend/2013-April/000111.html new file mode 100644 index 00000000..95e1e1f5 --- /dev/null +++ b/archives/extend/2013-April/000111.html @@ -0,0 +1,165 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML> + <HEAD> + <TITLE> [99s-extend] Reading body_qs multiple times + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Reading%20body_qs%20multiple%20times&In-Reply-To=%3C516D3736.4000106%40ninenines.eu%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <style type="text/css"> + pre { + white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */ + } + </style> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="000110.html"> + <LINK REL="Next" HREF="000112.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[99s-extend] Reading body_qs multiple times</H1> + <B>Loïc Hoguin</B> + <A HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Reading%20body_qs%20multiple%20times&In-Reply-To=%3C516D3736.4000106%40ninenines.eu%3E" + TITLE="[99s-extend] Reading body_qs multiple times">essen at ninenines.eu + </A><BR> + <I>Tue Apr 16 13:34:14 CEST 2013</I> + <P><UL> + <LI>Previous message: <A HREF="000110.html">[99s-extend] Reading body_qs multiple times +</A></li> + <LI>Next message: <A HREF="000112.html">[99s-extend] Cowboy CORS +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#111">[ date ]</a> + <a href="thread.html#111">[ thread ]</a> + <a href="subject.html#111">[ subject ]</a> + <a href="author.html#111">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>On 04/16/2013 02:13 AM, rambocoder wrote: +><i> Loic, +</I>><i> +</I>><i> After giving the CSRF middleware some thought and reading +</I>><i> <A HREF="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF">https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF</A>)_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL I +</I>><i> came to conclusion that it is best to just not create the middleware and +</I>><i> instead deal with CSRF on as needed basis. +</I> +Your link says what I said too, except I probably wasn't explicit enough. + +If you have a form that does POST (or PUT or PATCH or DELETE), put the +token in "<form action="/path/to/resource?csrf=$TOKEN">". The token must +be only valid once, it must not be reused, not even between different +forms (each form gets its own token). Since it is not a GET request, +then you don't have cache or referer issues. + +You can still have issues if you allow another site to run JS on yours +(but you probably shouldn't) or if there is a malevolent proxy (use SSL +where needed), but these are different issues entirely. + +><i> Btw, I noticed that when the result of the middleware execute function is: +</I>><i> {error, StatusCode, Req} +</I>><i> if I set the reply on the request via cowboy_req:reply before returning +</I>><i> the {error.. , the status code of that reply will be used. +</I>><i> +</I>><i> Such as: +</I>><i> {ok, Req3} = cowboy_req:reply(403, [], "Invalid CSRF Token.", Req2), +</I>><i> {error, 500, Req3}; % 500 is ignored, 403 is returned +</I> +Yes, the response was already sent, therefore the second one is ignored. + +><i> Is that by design? +</I>><i> +</I>><i> Sincerely, +</I>><i> +</I>><i> rambocoder +</I>><i> +</I>><i> +</I>><i> +</I>><i> On Mon, Apr 15, 2013 at 4:47 PM, Loïc Hoguin <<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A> +</I>><i> <mailto:<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>>> wrote: +</I>><i> +</I>><i> Why not just put the token in the URL instead? if it's CSRF then +</I>><i> it's probably used only once and only for POST and the like, so not +</I>><i> cached or anything. +</I>><i> +</I>><i> +</I>><i> On 04/15/2013 10:45 PM, rambocoder wrote: +</I>><i> +</I>><i> Hello group, +</I>><i> +</I>><i> I am trying to put together a CSRF middleware +</I>><i> <A HREF="https://github.com/rambocoder/__stable/commit/__b26980d292ac42aadfe9921a961436__e28cdbb693">https://github.com/rambocoder/__stable/commit/__b26980d292ac42aadfe9921a961436__e28cdbb693</A> +</I>><i> <<A HREF="https://github.com/rambocoder/stable/commit/b26980d292ac42aadfe9921a961436e28cdbb693">https://github.com/rambocoder/stable/commit/b26980d292ac42aadfe9921a961436e28cdbb693</A>> +</I>><i> and +</I>><i> if the body of the request contains "_csrf" token, I check to +</I>><i> make sure +</I>><i> it matches the csrf token in the session. +</I>><i> +</I>><i> Currently I am doing it in middleware using cowboy_req:body_qs/1 +</I>><i> however +</I>><i> when in the handler I need to read another body parameter, such +</I>><i> as in +</I>><i> the rest_pastebin example: +</I>><i> +</I>><i> {ok, BodyQs, Req3} = cowboy_req:body_qs(Req), +</I>><i> Paste = proplists:get_value(<<"paste">__>, BodyQs), +</I>><i> +</I>><i> cowboy_req:body_qs/1 returns [] due to the body of the request being +</I>><i> already read {body_state,done} +</I>><i> +</I>><i> Is it pointless to have the type of CSRF middleware that I am +</I>><i> writing +</I>><i> and just do the CSRF in the handler's callback, where I can deal +</I>><i> with +</I>><i> all the body_qs at once? +</I>><i> +</I>><i> Thank you, +</I>><i> +</I>><i> rambocoder +</I>><i> +</I>><i> +</I>><i> _________________________________________________ +</I>><i> Extend mailing list +</I>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A> <mailto:<A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A>> +</I>><i> <A HREF="http://lists.ninenines.eu:81/__listinfo/extend">http://lists.ninenines.eu:81/__listinfo/extend</A> +</I>><i> <<A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A>> +</I>><i> +</I>><i> +</I>><i> +</I>><i> -- +</I>><i> Loďc Hoguin +</I>><i> Erlang Cowboy +</I>><i> Nine Nines +</I>><i> <A HREF="http://ninenines.eu">http://ninenines.eu</A> +</I>><i> +</I>><i> +</I> + +-- +Loïc Hoguin +Erlang Cowboy +Nine Nines +<A HREF="http://ninenines.eu">http://ninenines.eu</A> + +</PRE> + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="000110.html">[99s-extend] Reading body_qs multiple times +</A></li> + <LI>Next message: <A HREF="000112.html">[99s-extend] Cowboy CORS +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#111">[ date ]</a> + <a href="thread.html#111">[ thread ]</a> + <a href="subject.html#111">[ subject ]</a> + <a href="author.html#111">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://lists.ninenines.eu/listinfo/extend">More information about the Extend +mailing list</a><br> +</body></html> |