Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-01 09:42:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add Set-Cookie header value for XSRF-TOKEN

Browse Source 
This commit fixes an issue where using HttpServletResponse#setHeader
causes previous header values to be overwritten.

Closes gh-13075
This commit is contained in:
Steve Riesenberg 2023-04-25 15:15:02 -05:00
parent a44e91d044
commit 07b884a2cb
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
2 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2012-2022 the original author or authors. * Copyright 2012-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -97,7 +97,7 @@ public final class CookieCsrfTokenRepository implements CsrfTokenRepository {
this.cookieCustomizer.accept(cookieBuilder); this.cookieCustomizer.accept(cookieBuilder);
response.setHeader(HttpHeaders.SET_COOKIE, cookieBuilder.build().toString()); response.addHeader(HttpHeaders.SET_COOKIE, cookieBuilder.build().toString());
// Set request attribute to signal that response has blank cookie value, // Set request attribute to signal that response has blank cookie value,
// which allows loadToken to return null when token has been removed // which allows loadToken to return null when token has been removed

14
web/src/test/java/org/springframework/security/web/csrf/CookieCsrfTokenRepositoryTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -20,6 +20,7 @@ import jakarta.servlet.http.Cookie;
import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.springframework.http.HttpHeaders;
import org.springframework.mock.web.MockCookie; import org.springframework.mock.web.MockCookie;
import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockHttpServletResponse;
@ -290,6 +291,17 @@ class CookieCsrfTokenRepositoryTests {
assertThat(((MockCookie) tokenCookie).getSameSite()).isEqualTo(sameSitePolicy); assertThat(((MockCookie) tokenCookie).getSameSite()).isEqualTo(sameSitePolicy);
} }
// gh-13075
@Test
void saveTokenWithExistingSetCookieThenDoesNotOverwrite() {
this.response.setHeader(HttpHeaders.SET_COOKIE, "MyCookie=test");
this.repository = new CookieCsrfTokenRepository();
CsrfToken token = this.repository.generateToken(this.request);
this.repository.saveToken(token, this.request, this.response);
assertThat(this.response.getCookie("MyCookie")).isNotNull();
assertThat(this.response.getCookie(CookieCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME)).isNotNull();
}
@Test @Test
void loadTokenNoCookiesNull() { void loadTokenNoCookiesNull() {
assertThat(this.repository.loadToken(this.request)).isNull(); assertThat(this.repository.loadToken(this.request)).isNull();