From 3df5c9027cfec8f301290f04dc9a18e1fe3d859e Mon Sep 17 00:00:00 2001
From: Emilio Dolce <emilio.dolce@micegroup.it>
Date: Tue, 4 Feb 2020 12:05:58 +0100
Subject: [PATCH] trim value for CSRF security checks

---
 .../voila/runtime/springmvc/csrf/CSRFHandlerInterceptor.java  | 4 +++-
 .../runtime/springmvc/csrf/CSRFRequestDataValueProcessor.java | 4 ++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/voila-runtime-springmvc/src/main/java/it/mice/voila/runtime/springmvc/csrf/CSRFHandlerInterceptor.java b/voila-runtime-springmvc/src/main/java/it/mice/voila/runtime/springmvc/csrf/CSRFHandlerInterceptor.java
index 9d7d634e..899edf0b 100644
--- a/voila-runtime-springmvc/src/main/java/it/mice/voila/runtime/springmvc/csrf/CSRFHandlerInterceptor.java
+++ b/voila-runtime-springmvc/src/main/java/it/mice/voila/runtime/springmvc/csrf/CSRFHandlerInterceptor.java
@@ -135,7 +135,7 @@ public class CSRFHandlerInterceptor extends HandlerInterceptorAdapter{
 							}
 						}
 						if (!valueCheck) {
-							LOGGER.warn("POST request field " + paramName + " not allowed value=" + paramValue);
+							LOGGER.warn("POST request field " + paramName + " not allowed actual value=\n" + paramValue + "\nPrevious value=\n" + ff.getParameterValue().iterator().next());
 							throw new BusinessException(new UserMessage("error.security.unauthorizedRequest"));
 							//response.sendError(HttpServletResponse.SC_FORBIDDEN, "Bad form field parameter value");
 							//return false;
@@ -177,6 +177,8 @@ public class CSRFHandlerInterceptor extends HandlerInterceptorAdapter{
 	}
 	
 	protected boolean checkSameValue(String paramValue, String savedValue, String type, Object actualValue) {
+		paramValue = StringUtils.trimToEmpty(paramValue);
+		savedValue = StringUtils.trimToEmpty(savedValue);
 		if (paramValue.equals(savedValue)) {
 			return true;
 		}
diff --git a/voila-runtime-springmvc/src/main/java/it/mice/voila/runtime/springmvc/csrf/CSRFRequestDataValueProcessor.java b/voila-runtime-springmvc/src/main/java/it/mice/voila/runtime/springmvc/csrf/CSRFRequestDataValueProcessor.java
index 18dd0105..ac80ebcd 100644
--- a/voila-runtime-springmvc/src/main/java/it/mice/voila/runtime/springmvc/csrf/CSRFRequestDataValueProcessor.java
+++ b/voila-runtime-springmvc/src/main/java/it/mice/voila/runtime/springmvc/csrf/CSRFRequestDataValueProcessor.java
@@ -7,6 +7,7 @@ import java.util.Map;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.web.servlet.support.RequestDataValueProcessor;
@@ -35,6 +36,9 @@ public class CSRFRequestDataValueProcessor implements RequestDataValueProcessor
 	}
 
 	public String processFormFieldValue(HttpServletRequest request, String name, String value, String type) {
+		if (value != null) {
+			value = StringUtils.trimToEmpty(value);
+		}
 		LOGGER.debug("processFormFieldValue: name=" + name + ", value=" + value + ", type=" + type);
 		TagUtils.getSecuritySessionBean().addFormField(name, value, type);
 		return value;
-- 
GitLab