1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE> [99s-extend] Reading body_qs multiple times
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Reading%20body_qs%20multiple%20times&In-Reply-To=%3C516C6773.1000004%40ninenines.eu%3E">
<META NAME="robots" CONTENT="index,nofollow">
<style type="text/css">
pre {
white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */
}
</style>
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000108.html">
<LINK REL="Next" HREF="000110.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[99s-extend] Reading body_qs multiple times</H1>
<B>Loïc Hoguin</B>
<A HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Reading%20body_qs%20multiple%20times&In-Reply-To=%3C516C6773.1000004%40ninenines.eu%3E"
TITLE="[99s-extend] Reading body_qs multiple times">essen at ninenines.eu
</A><BR>
<I>Mon Apr 15 22:47:47 CEST 2013</I>
<P><UL>
<LI>Previous message: <A HREF="000108.html">[99s-extend] Reading body_qs multiple times
</A></li>
<LI>Next message: <A HREF="000110.html">[99s-extend] Reading body_qs multiple times
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#109">[ date ]</a>
<a href="thread.html#109">[ thread ]</a>
<a href="subject.html#109">[ subject ]</a>
<a href="author.html#109">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Why not just put the token in the URL instead? if it's CSRF then it's
probably used only once and only for POST and the like, so not cached or
anything.
On 04/15/2013 10:45 PM, rambocoder wrote:
><i> Hello group,
</I>><i>
</I>><i> I am trying to put together a CSRF middleware
</I>><i> <A HREF="https://github.com/rambocoder/stable/commit/b26980d292ac42aadfe9921a961436e28cdbb693">https://github.com/rambocoder/stable/commit/b26980d292ac42aadfe9921a961436e28cdbb693</A> and
</I>><i> if the body of the request contains "_csrf" token, I check to make sure
</I>><i> it matches the csrf token in the session.
</I>><i>
</I>><i> Currently I am doing it in middleware using cowboy_req:body_qs/1 however
</I>><i> when in the handler I need to read another body parameter, such as in
</I>><i> the rest_pastebin example:
</I>><i>
</I>><i> {ok, BodyQs, Req3} = cowboy_req:body_qs(Req),
</I>><i> Paste = proplists:get_value(<<"paste">>, BodyQs),
</I>><i>
</I>><i> cowboy_req:body_qs/1 returns [] due to the body of the request being
</I>><i> already read {body_state,done}
</I>><i>
</I>><i> Is it pointless to have the type of CSRF middleware that I am writing
</I>><i> and just do the CSRF in the handler's callback, where I can deal with
</I>><i> all the body_qs at once?
</I>><i>
</I>><i> Thank you,
</I>><i>
</I>><i> rambocoder
</I>><i>
</I>><i>
</I>><i> _______________________________________________
</I>><i> Extend mailing list
</I>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A>
</I>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A>
</I>><i>
</I>
--
Loïc Hoguin
Erlang Cowboy
Nine Nines
<A HREF="http://ninenines.eu">http://ninenines.eu</A>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000108.html">[99s-extend] Reading body_qs multiple times
</A></li>
<LI>Next message: <A HREF="000110.html">[99s-extend] Reading body_qs multiple times
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#109">[ date ]</a>
<a href="thread.html#109">[ thread ]</a>
<a href="subject.html#109">[ subject ]</a>
<a href="author.html#109">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://lists.ninenines.eu/listinfo/extend">More information about the Extend
mailing list</a><br>
</body></html>
|
