SEC-2292: Add test to assert CSRF bypass of methods is case sensitive

HTTP methods should be case sensitive, so add test to ensure that this is the case http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1
2013-08-31 10:40:49 -05:00 · 2013-08-31 10:40:49 -05:00 · 43f4d01cf3
parent 6e9fb7930b
commit 43f4d01cf3
1 changed files with 27 additions and 0 deletions
--- a/web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java
@ -311,6 +311,33 @@ public class CsrfFilterTests {
        }
    }

+    /**
+     * SEC-2292 Should not allow other cases through since spec states HTTP
+     * method is case sensitive
+     * http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1
+     *
+     * @throws ServletException
+     * @throws IOException
+     */
+    @Test
+    public void doFilterDefaultRequireCsrfProtectionMatcherAllowedMethodsCaseSensitive()
+            throws ServletException, IOException {
+        filter = new CsrfFilter(tokenRepository);
+        filter.setAccessDeniedHandler(deniedHandler);
+
+        for (String method : Arrays.asList("get", "TrAcE", "oPTIOnS", "hEaD")) {
+            resetRequestResponse();
+            when(tokenRepository.loadToken(request)).thenReturn(token);
+            request.setMethod(method);
+
+            filter.doFilter(request, response, filterChain);
+
+            verify(deniedHandler).handle(eq(request), eq(response),
+                    any(InvalidCsrfTokenException.class));
+            verifyZeroInteractions(filterChain);
+        }
+    }
+
    @Test
    public void doFilterDefaultRequireCsrfProtectionMatcherDeniedMethods()
            throws ServletException, IOException {