struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [struts] salcho commented on a change in pull request #428: WW-5083 PR#426 follow-up.
Date Mon, 03 Aug 2020 07:43:07 GMT

salcho commented on a change in pull request #428:
URL: https://github.com/apache/struts/pull/428#discussion_r464245596



##########
File path: core/src/main/java/org/apache/struts2/interceptor/FetchMetadataInterceptor.java
##########
@@ -73,15 +76,31 @@ public String intercept(ActionInvocation invocation) throws Exception
{
             return invocation.invoke();
         }
 
-        logger.atDebug().log(
-            "Fetch metadata rejected cross-origin request to %s",
-            contextPath
-        );
+        LOG.debug("Fetch metadata rejected cross-origin request to [{}]", contextPath);

Review comment:
       Hi,
   
   I think you guys know better what log level is more appropriate for Struts devs. What I
can tell you is that this code is not expected to reject many requests under normal circumstances,
as every time this happens an endpoint is being fetched cross-origin, which indicates a potential
CSRF attack more often than not and developers are expected to add endpoints that are exposed
cross-origin to the exemption list. 
   
   That is to say: we wouldn't really expect this log statement to be hit to the point of
flooding the logs.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



Mime
View raw message