You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When I updated a project where echo is used from 4.6.3 to 4.71 today, I wasn't able to log into the system anymore when CSRF validation was enabled. After digging around a bit, it seems that 4.7.1. brings new CSRF validation code (see: #2060) and apparently the validation for CSRF tokens via multipart/form-data encoded forms broke.
I suggest to remove the c.Request().ParseForm() part and instead make use of net/http.FormValue() which will call ParseMultipartForm and ParseForm by itself and return the corresponding value.
Checklist
Dependencies installed
No typos
Searched existing issues and docs
Expected behaviour
middleware.CSRF to parse multipart/form-data encoded forms as well as application/x-www-form-urlencoded encoded forms
Actual behaviour
middleware.CSRF does not work with multipart/form-data encoded forms.
Steps to reproduce
Create a form with multipart/form-data encoding.
Include the CSRF token in the form
Enable CSRF middleware in your echo application
Try to validate the token using the middle
Working code to debug
Version/commit
4.7.1
The text was updated successfully, but these errors were encountered:
Issue Description
When I updated a project where echo is used from 4.6.3 to 4.71 today, I wasn't able to log into the system anymore when CSRF validation was enabled. After digging around a bit, it seems that 4.7.1. brings new CSRF validation code (see: #2060) and apparently the validation for CSRF tokens via
multipart/form-data
encoded forms broke.Digging a little deeper my suspision is, that the error is within https://github.com/labstack/echo/blob/master/middleware/extractor.go#L171. There it calls
c.Request().ParseForm()
which I believe does not consider forms that usemultipart/form-data
encoding.I suggest to remove the
c.Request().ParseForm()
part and instead make use ofnet/http.FormValue()
which will callParseMultipartForm
andParseForm
by itself and return the corresponding value.Checklist
Expected behaviour
middleware.CSRF to parse
multipart/form-data
encoded forms as well asapplication/x-www-form-urlencoded
encoded formsActual behaviour
middleware.CSRF does not work with
multipart/form-data
encoded forms.Steps to reproduce
multipart/form-data
encoding.Working code to debug
Version/commit
4.7.1
The text was updated successfully, but these errors were encountered: