From c83a4a7a2438e03427ce06b5d94d136064385a41 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Wed, 2 Nov 2011 01:44:03 -0600
Subject: [PATCH] fix CSRF checking logic, once we identify a single problem
 with the CSRF token, don't fall through to further checks

---
 bin/browserid | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/bin/browserid b/bin/browserid
index 005725a51..d69fe6767 100755
--- a/bin/browserid
+++ b/bin/browserid
@@ -309,19 +309,19 @@ app.use(function(req, resp, next) {
       logger.warn("CSRF validation failure: POST only allowed to /wsapi urls.  not '" + req.url + "'");
     }
 
-    if (req.session === undefined) { // there must be a session
+    else if (req.session === undefined) { // there must be a session
       denied = true;
       logger.warn("CSRF validation failure: POST calls to /wsapi require an active session");
     }
 
     // the session must have a csrf token
-    if (typeof req.session.csrf !== 'string') {
+    else if (typeof req.session.csrf !== 'string') {
       denied = true;
       logger.warn("CSRF validation failure: POST calls to /wsapi require an csrf token to be set");
     }
 
     // and the token must match what is sent in the post body
-    if (req.body.csrf != req.session.csrf) {
+    else if (req.body.csrf != req.session.csrf) {
       denied = true;
       // if any of these things are false, then we'll block the request
       logger.warn("CSRF validation failure, token mismatch. got:" + req.body.csrf + " want:" + req.session.csrf);
-- 
GitLab