You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Echo's CORS middleware when TokenLookup is set to form:<your-input-name> consumes all the request body making impossible for downstream operations to use it.
Checklist
Dependencies installed
No typos
Searched existing issues and docs
Expected behaviour
When using TokenLookup to inspect formData to find csrf token it should be possible to reuse the request body.
For example, forward the request to a downstream service that will be able to use it.
Actual behaviour
When using TokenLookup to inspect formData, body is completely consumed. This might introduce issues when proxying a request.
Steps to reproduce
See working code below for a full example to reproduce the error
It seems the issue is in the github.com/labstack/echo/v4@v4.11.4/middleware/extractor.go in the function valuesFromForm:
// valuesFromForm returns a function that extracts values from the form field.
func valuesFromForm(name string) ValuesExtractor {
return func(c echo.Context) ([]string, error) {
if c.Request().Form == nil {
_ = c.Request().ParseMultipartForm(32 << 20) // same what `c.Request().FormValue(name)` does
}
....
It seems in fact that the line: c.Request().ParseMultipartForm(32 << 20) is consuming all the body.
One workaround that seems to fix the issue is copying the body and restoring after it has been consumed.
The text was updated successfully, but these errors were encountered:
This is working as intended. When Go standard library parses the Form the request body will be read till the end and can not be read anymore. All form values are stored now in Request.Form (c.Request().Form).
Assuming you are expecting Form in you handler you should access Request.Form* methods and fields.
If you need the body in some middleware and it should come before CSRF middleware and use buffering etc strategies so body could be read more than once.
Issue Description
Echo's CORS middleware when TokenLookup is set to
form:<your-input-name>
consumes all the request body making impossible for downstream operations to use it.Checklist
Expected behaviour
When using
TokenLookup
to inspect formData to find csrf token it should be possible to reuse the request body.For example, forward the request to a downstream service that will be able to use it.
Actual behaviour
When using
TokenLookup
to inspect formData, body is completely consumed. This might introduce issues when proxying a request.Steps to reproduce
See working code below for a full example to reproduce the error
Working code to debug
After running the server, simply invoke the route with curl:
Result is:
Version/commit
echo version:
v4.11.4
Additional Debug already done
It seems the issue is in the
github.com/labstack/echo/v4@v4.11.4/middleware/extractor.go
in the functionvaluesFromForm
:It seems in fact that the line:
c.Request().ParseMultipartForm(32 << 20)
is consuming all the body.One workaround that seems to fix the issue is copying the body and restoring after it has been consumed.
The text was updated successfully, but these errors were encountered: