-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF middleware form lookup consumes all the request body #2600
Comments
This is working as intended. When Go standard library parses the Form the request body will be read till the end and can not be read anymore. All form values are stored now in Assuming you are expecting Form in you handler you should access See how bodydump middleware does it Line 72 in 447c92d
|
Issue Description
Echo's CORS middleware when TokenLookup is set to
form:<your-input-name>
consumes all the request body making impossible for downstream operations to use it.Checklist
Expected behaviour
When using
TokenLookup
to inspect formData to find csrf token it should be possible to reuse the request body.For example, forward the request to a downstream service that will be able to use it.
Actual behaviour
When using
TokenLookup
to inspect formData, body is completely consumed. This might introduce issues when proxying a request.Steps to reproduce
See working code below for a full example to reproduce the error
Working code to debug
After running the server, simply invoke the route with curl:
Result is:
Version/commit
echo version:
v4.11.4
Additional Debug already done
It seems the issue is in the
github.com/labstack/echo/[email protected]/middleware/extractor.go
in the functionvaluesFromForm
:It seems in fact that the line:
c.Request().ParseMultipartForm(32 << 20)
is consuming all the body.One workaround that seems to fix the issue is copying the body and restoring after it has been consumed.
The text was updated successfully, but these errors were encountered: