New CSRF parser in 4.7.x broken for CSRF tokens via multipart/form-data encoded forms #2135
Description
Issue Description
When I updated a project where echo is used from 4.6.3 to 4.71 today, I wasn't able to log into the system anymore when CSRF validation was enabled. After digging around a bit, it seems that 4.7.1. brings new CSRF validation code (see: #2060) and apparently the validation for CSRF tokens via multipart/form-data encoded forms broke.
Digging a little deeper my suspision is, that the error is within https://github.com/labstack/echo/blob/master/middleware/extractor.go#L171. There it calls c.Request().ParseForm() which I believe does not consider forms that use multipart/form-data encoding.
I suggest to remove the c.Request().ParseForm() part and instead make use of net/http.FormValue() which will call ParseMultipartForm and ParseForm by itself and return the corresponding value.
Checklist
- Dependencies installed
- No typos
- Searched existing issues and docs
Expected behaviour
middleware.CSRF to parse multipart/form-data encoded forms as well as application/x-www-form-urlencoded encoded forms
Actual behaviour
middleware.CSRF does not work with multipart/form-data encoded forms.
Steps to reproduce
- Create a form with
multipart/form-dataencoding. - Include the CSRF token in the form
- Enable CSRF middleware in your echo application
- Try to validate the token using the middle
Working code to debug
Version/commit
4.7.1