Merge branch 'cxxxr-fix-csrf-token-check'

2025-03-04 17:01:41 -05:00 · 2019-03-18 16:16:03 +09:00 · 2019-03-18 16:16:03 +09:00 · 3d21b5b622
commit 3d21b5b622
parent abff8efeb0 805c0b99c0
1 changed files with 5 additions and 2 deletions
--- a/src/middleware/csrf.lisp
+++ b/src/middleware/csrf.lisp
@ -51,9 +51,12 @@
        (csrf-token (gethash *csrf-session-key*
                             (getf env :lack.session))))
    (and csrf-token
-         (let ((recieved-csrf-token
+         (let ((received-csrf-token
                 (cdr (assoc "_csrf_token" (request-body-parameters req) :test #'string=))))
-           (string= csrf-token recieved-csrf-token)))))
+           ;; for multipart/form-data
+           (when (listp received-csrf-token)
+             (setf received-csrf-token (first received-csrf-token)))
+           (equal csrf-token received-csrf-token)))))

 (defun csrf-token (session)
  (unless (gethash *csrf-session-key* session)