From 023444ea8f379bdad402c5a4c9d05b8d08d37498 Mon Sep 17 00:00:00 2001 From: cxxxr Date: Mon, 18 Mar 2019 16:09:11 +0900 Subject: [PATCH 1/2] fix csrf token check --- src/middleware/csrf.lisp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/middleware/csrf.lisp b/src/middleware/csrf.lisp index 639369e..637e8cc 100644 --- a/src/middleware/csrf.lisp +++ b/src/middleware/csrf.lisp @@ -53,6 +53,9 @@ (and csrf-token (let ((recieved-csrf-token (cdr (assoc "_csrf_token" (request-body-parameters req) :test #'string=)))) + ;; for multipart/form-data + (when (listp recieved-csrf-token) + (setf recieved-csrf-token (first recieved-csrf-token))) (string= csrf-token recieved-csrf-token))))) (defun csrf-token (session) From 805c0b99c0f10b8c02cf0809eadee616bfbd6e9a Mon Sep 17 00:00:00 2001 From: Eitaro Fukamachi Date: Mon, 18 Mar 2019 16:15:17 +0900 Subject: [PATCH 2/2] Replace 'string=' by 'equal' for preventing from TYPE-ERROR when it's other than a string. --- src/middleware/csrf.lisp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/middleware/csrf.lisp b/src/middleware/csrf.lisp index 637e8cc..157f405 100644 --- a/src/middleware/csrf.lisp +++ b/src/middleware/csrf.lisp @@ -51,12 +51,12 @@ (csrf-token (gethash *csrf-session-key* (getf env :lack.session)))) (and csrf-token - (let ((recieved-csrf-token + (let ((received-csrf-token (cdr (assoc "_csrf_token" (request-body-parameters req) :test #'string=)))) ;; for multipart/form-data - (when (listp recieved-csrf-token) - (setf recieved-csrf-token (first recieved-csrf-token))) - (string= csrf-token recieved-csrf-token))))) + (when (listp received-csrf-token) + (setf received-csrf-token (first received-csrf-token))) + (equal csrf-token received-csrf-token))))) (defun csrf-token (session) (unless (gethash *csrf-session-key* session)