Reverse content type check

When MultipartFormData is enabled currently the CsrfWebFilter compares
the content-type header against MULTIPART_FORM_DATA MediaType which
leads to NullPointerExecption when there is no content-type header.
This commit reverse the check to compare the MULTIPART_FORM_DATA
MediaType against the content-type which contains null check and avoids
the exception.

closes gh-11204
Closes gh-11205
This commit is contained in:
Zhivko Delchev 2022-05-13 02:24:59 +03:00 committed by Rob Winch
parent 6c3f53ac0a
commit d882bfcf2b
2 changed files with 12 additions and 1 deletions

View File

@ -151,7 +151,7 @@ public class CsrfWebFilter implements WebFilter {
ServerHttpRequest request = exchange.getRequest();
HttpHeaders headers = request.getHeaders();
MediaType contentType = headers.getContentType();
if (!contentType.includes(MediaType.MULTIPART_FORM_DATA)) {
if (!MediaType.MULTIPART_FORM_DATA.isCompatibleWith(contentType)) {
return Mono.empty();
}
return exchange.getMultipartData().map((d) -> d.getFirst(expected.getParameterName())).cast(FormFieldPart.class)

View File

@ -189,6 +189,17 @@ public class CsrfWebFilterTests {
.expectStatus().is2xxSuccessful();
}
@Test
public void filterWhenPostAndMultipartFormDataEnabledAndNoBodyProvided() {
this.csrfFilter.setCsrfTokenRepository(this.repository);
this.csrfFilter.setTokenFromMultipartDataEnabled(true);
given(this.repository.loadToken(any())).willReturn(Mono.just(this.token));
given(this.repository.generateToken(any())).willReturn(Mono.just(this.token));
WebTestClient client = WebTestClient.bindToController(new OkController()).webFilter(this.csrfFilter).build();
client.post().uri("/").header(this.token.getHeaderName(), this.token.getToken()).exchange().expectStatus()
.is2xxSuccessful();
}
@Test
public void filterWhenFormDataAndEnabledThenGranted() {
this.csrfFilter.setCsrfTokenRepository(this.repository);