From 43f4d01cf3c94a2b542ad960799d0b6d80ad62c1 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Sat, 31 Aug 2013 10:40:49 -0500 Subject: [PATCH] SEC-2292: Add test to assert CSRF bypass of methods is case sensitive HTTP methods should be case sensitive, so add test to ensure that this is the case http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1 --- .../security/web/csrf/CsrfFilterTests.java | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java b/web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java index c9d32a68a7..f15ae93df5 100644 --- a/web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java @@ -311,6 +311,33 @@ public class CsrfFilterTests { } } + /** + * SEC-2292 Should not allow other cases through since spec states HTTP + * method is case sensitive + * http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1 + * + * @throws ServletException + * @throws IOException + */ + @Test + public void doFilterDefaultRequireCsrfProtectionMatcherAllowedMethodsCaseSensitive() + throws ServletException, IOException { + filter = new CsrfFilter(tokenRepository); + filter.setAccessDeniedHandler(deniedHandler); + + for (String method : Arrays.asList("get", "TrAcE", "oPTIOnS", "hEaD")) { + resetRequestResponse(); + when(tokenRepository.loadToken(request)).thenReturn(token); + request.setMethod(method); + + filter.doFilter(request, response, filterChain); + + verify(deniedHandler).handle(eq(request), eq(response), + any(InvalidCsrfTokenException.class)); + verifyZeroInteractions(filterChain); + } + } + @Test public void doFilterDefaultRequireCsrfProtectionMatcherDeniedMethods() throws ServletException, IOException {