Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v16] Remove ineffective CSRF check for /webconfirm #50102

Merged
merged 1 commit into from
Dec 13, 2024
Merged

[v16] Remove ineffective CSRF check for /webconfirm #50102

merged 1 commit into from
Dec 13, 2024

Conversation

zmb3
Copy link
Collaborator

@zmb3 zmb3 commented Dec 11, 2024

Backport #50098 to branch/v16

@zmb3
Remove ineffective CSRF check for /webconfirm
c72ca5e 
The WithAuthCookieAndCSRF checks only apply CSRF checks for
state-changing (ie non-GET) requests. Since /webconfirm is
always a GET request, the previous code gave the impression
that CSRF tokens were validated which is not the case.

No behavior change here - just being more explicit about what is
being checked. There is no exploit due to not checking CSRF here
due to the strict session verification performed on the confirmation
token.
@zmb3 zmb3 added the no-changelog Indicates that a PR does not require a changelog entry label Dec 11, 2024
@aws-amplify-us-west-2 AWS Amplify (us-west-2)
Copy link

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-50102.d1v2yqnl3ruxch.amplifyapp.com

@zmb3 zmb3 added this pull request to the merge queue Dec 13, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Dec 13, 2024
@zmb3 zmb3 added this pull request to the merge queue Dec 13, 2024
Merged via the queue into branch/v16 with commit 540f839 Dec 13, 2024
42 checks passed
@zmb3 zmb3 deleted the bot/backport-50098-branch/v16 branch December 13, 2024 21:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@codingllama codingllama codingllama approved these changes

@avatus avatus avatus approved these changes

Assignees
No one assigned
Labels
backport no-changelog Indicates that a PR does not require a changelog entry size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zmb3 @avatus @codingllama