Don't require csrf for search endpoint

Reasoning: - It doesn't change state and is not a sensitive endpoint - It really should be changed to GET but that is a bit more intrusive change that can be done at another time - The search csrf token is stored on the top.jsp page for a long time. If the user keeps this tab open for a while it is possible the csrf token will change on their session with other requests going on such that the search csrf token becomes wrong/stale. Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago · c7789533a0
parent ded28c4669
commit c7789533a0
2 changed files with 15 additions and 15 deletions
--- a/airsonic-main/src/main/java/org/airsonic/player/security/CsrfSecurityRequestMatcher.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/security/CsrfSecurityRequestMatcher.java
@ -6,6 +6,8 @@ import org.springframework.stereotype.Component;

 import javax.servlet.http.HttpServletRequest;

+import java.util.ArrayList;
+import java.util.Collection;
 import java.util.regex.Pattern;

 /**
@ -19,24 +21,23 @@ import java.util.regex.Pattern;
@Component
 public class CsrfSecurityRequestMatcher implements RequestMatcher {
    private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
-    private RegexRequestMatcher dwrRequestMatcher = new RegexRequestMatcher("/dwr/.*\\.dwr", "POST");
-    private RegexRequestMatcher restRequestMatcher = new RegexRequestMatcher("/rest/.*\\.view(\\?.*)?", "POST");
+    private Collection<RegexRequestMatcher> whiteListedMatchers;
+
+    public CsrfSecurityRequestMatcher() {
+        Collection<RegexRequestMatcher> whiteListedMatchers = new ArrayList<>();
+        whiteListedMatchers.add(new RegexRequestMatcher("/dwr/.*\\.dwr", "POST"));
+        whiteListedMatchers.add(new RegexRequestMatcher("/rest/.*\\.view(\\?.*)?", "POST"));
+        whiteListedMatchers.add(new RegexRequestMatcher("/search(?:\\.view)?", "POST"));
+        this.whiteListedMatchers = whiteListedMatchers;
+    }

    @Override
    public boolean matches(HttpServletRequest request) {

-        boolean requireCsrfToken = true;
-
-        if(allowedMethods.matcher(request.getMethod()).matches()){
-            requireCsrfToken = false;
-        } else {
-            if (dwrRequestMatcher.matches(request)) {
-                requireCsrfToken = false;
-            } else if (restRequestMatcher.matches(request)) {
-                requireCsrfToken = false;
-            }
-        }
+        boolean skipCSRF =
+                allowedMethods.matcher(request.getMethod()).matches() ||
+                whiteListedMatchers.stream().anyMatch(matcher -> matcher.matches(request));

-        return requireCsrfToken;
+        return !skipCSRF;
    }
 }
--- a/airsonic-main/src/main/webapp/WEB-INF/jsp/top.jsp
+++ b/airsonic-main/src/main/webapp/WEB-INF/jsp/top.jsp
@ -125,7 +125,6 @@

        <td style="padding-left:1em">
            <form method="post" action="search.view" target="main" name="searchForm">
-                <sec:csrfInput />
                <td><input type="text" name="query" id="query" size="28" placeholder="${search}" onclick="select();"
                           onkeyup="triggerInstantSearch();"></td>
                <td><a href="javascript:document.searchForm.submit()"><img src="<spring:theme code="searchImage"/>" alt="${search}" title="${search}"></a></td>