CSRF protection in web application

Question

I have application that have CSRF protection provided by apache modules. My application containt a few pages that allow to upload some files, looks like this:

<form:form method="post" action="my.controller" enctype="multipart/form-data" id="form">

All stuff worked fine by the time we have updated our apache version from httpd-2.2.3 to httpd-2.2.15.

I've googled some time, and found that issue can be related to multipart/form-data parameter in the my form. In this case the form send as not secured. Also I've found that spring can handle stuff as above via MultipartFilter from spring doc http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html#csrf-multipartfilter

I am new in CSRF stuff. Will be good to know whehter it is possible to use spring CSRF protection with apache configuration to handle such cases.

Also I've found workaround where I can disable CSRF for needed URLs, like

RewriteRule /url/mycontroller.controller - [E=CSRF_IGNORE:yes]

But I am not sure wherer it will be correct one.

Answer 1

Following are the suggestions I have:

Please remove the enctype if not required since multipart/form-data is not supported in some of the CSRF libraries including CSRF Guard.

If you are setting the CSRF token using hidden attribute, please try appending the token in the action attribute. Here is this link : https://code.google.com/p/csrf-filter/

If you still face the same issue, you may have to exclude the URL from CSRF check.