CSRF protection can be bypassed with empty header and empty cookie
willemvermeer opened this issue · comments
Hi,
When you send a POST to an endpoint protected by randomTokenCsrfProtection and pass in an empty X-XSRF-TOKEN header and a XSRF-TOKEN cookie with empty value, the filter will let you pass.
I think is due to the check in randomTokenCsrfProtection on line 26:
if (submitted == cookie) {
pass
}
but the value itself is not inspected and could possibly be empty.
Hope this can be fixed, thanks,
Willem
Fixed in 0.5.11. Thanks for the report!