1. 首頁
  2. 問答
  3. 請求/autodiscover/autodiscover.xml導致TokenMismatchException

請求/autodiscover/autodiscover.xml導致TokenMismatchException

2015-10-26 103 views
4

我有一個Laravel應用程序正在獲取合理的流量。我更改了異常處理程序的render()方法,如下所示:請求/autodiscover/autodiscover.xml導致TokenMismatchException

/** 
* Render an exception into an HTTP response. 
* 
* @param \Illuminate\Http\Request $request 
* @param \Exception $e 
* @return \Illuminate\Http\Response 
*/ 
public function render($request, Exception $e) 
{ 
    if ($e instanceof \Illuminate\Session\TokenMismatchException){ 

     return redirect($request->fullUrl())->with('error',"Sorry your session has expired please resubmit your request."); 
    } 

    return parent::render($request, $e); 
}

這是正常的請求,做工精細,並且而不是拋出異常,它設置會話閃光消息,並重定向到所請求的頁面。然而,我注意到許多這些例外仍然被拋出以下要求:

/autodiscover/autodiscover.xml

我知道上面是什麼做交流,所以它可能不是惡意的。

我感到困惑的是a)爲什麼這個未路由的URL觸發Laravel的CSRF保護,以及b)爲什麼我的更新處理程序沒有捕獲異常?

我試着爲這個URL添加一個路由,並手動拋出一個404,但這並沒有幫助。

我該怎麼做才能防止這些異常被拋出?

編輯 - 按要求堆棧跟蹤:

2015-10-26 11:44:38] production.ERROR: exception 'Illuminate\Session\TokenMismatchException' in /var/www/vhosts/sitedomain.com/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php:53 
Stack trace: 
#0 [internal function]: Illuminate\Foundation\Http\Middleware\VerifyCsrfToken->handle(Object(Illuminate\Http\Request), Object(Closure)) 
#1 /var/www/vhosts/sitedomain.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(124): call_user_func_array(Array, Array) 
#2 /var/www/vhosts/sitedomain.com/vendor/laravel/framework/src/Illuminate/View/Middleware/ShareErrorsFromSession.php(54): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request)) 
#3 [internal function]: Illuminate\View\Middleware\ShareErrorsFromSession->handle(Object(Illuminate\Http\Request), Object(Closure)) 
#4 /var/www/vhosts/sitedomain.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(124): call_user_func_array(Array, Array) 
#5 /var/www/vhosts/sitedomain.com/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(62): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request)) 
#6 [internal function]: Illuminate\Session\Middleware\StartSession->handle(Object(Illuminate\Http\Request), Object(Closure)) 
#7 /var/www/vhosts/sitedomain.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(124): call_user_func_array(Array, Array) 
#8 /var/www/vhosts/sitedomain.com/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/AddQueuedCookiesToResponse.php(37): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request)) 
#9 [internal function]: Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse->handle(Object(Illuminate\Http\Request), Object(Closure)) 
#10 /var/www/vhosts/sitedomain.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(124): call_user_func_array(Array, Array) 
#11 /var/www/vhosts/sitedomain.com/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php(59): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request)) 
#12 [internal function]: Illuminate\Cookie\Middleware\EncryptCookies->handle(Object(Illuminate\Http\Request), Object(Closure)) 
#13 /var/www/vhosts/sitedomain.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(124): call_user_func_array(Array, Array) 
#14 /var/www/vhosts/sitedomain.com/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/CheckForMaintenanceMode.php(42): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request)) 
#15 [internal function]: Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode->handle(Object(Illuminate\Http\Request), Object(Closure)) 
#16 /var/www/vhosts/sitedomain.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(124): call_user_func_array(Array, Array) 
#17 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request)) 
#18 /var/www/vhosts/sitedomain.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): call_user_func(Object(Closure), Object(Illuminate\Http\Request)) 
#19 /var/www/vhosts/sitedomain.com/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(122): Illuminate\Pipeline\Pipeline->then(Object(Closure)) 
#20 /var/www/vhosts/sitedomain.com/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(87): Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter(Object(Illuminate\Http\Request)) 
#21 /var/www/vhosts/sitedomain.com/public_html/index.php(53): Illuminate\Foundation\Http\Kernel->handle(Object(Illuminate\Http\Request)) 
#22 {main}

來源

2015-10-26 BrynJ

+0

你能否爲URL添加錯誤追蹤轉儲'/ autodiscover/autodiscover.xml'? – Mysteryos

+0

@Mysteryos - 當然,我已經添加了一個示例堆棧跟蹤。 – BrynJ

+0

錯誤跟蹤轉儲不提供信息。你怎麼能確定這個文件導致這些錯誤?看起來你有會話持久性問題。 – Mysteryos

回答

1

因此,該解決方案被證明是比較簡單的。看起來Laravel的默認行爲是處理所有帖子(並且大概是放入和刪除...)的請求,無論它們是否在路由中定義。

因此,我們可以在VerifyCsrfToken中間件$添加一個例外,除了陣列:

protected $except = [ 
    'autodiscover/autodiscover.xml' 
]

加入以上後,我TokenMismatchException不再拋出。

來源

2015-10-27 11:00:49 BrynJ

+0

仍然被剔除。想象一下,惡意用戶試圖通過非'GET'請求訪問服務器上不存在的文件。您的日誌將填充CSRF錯誤。 – Mysteryos

+0

@Mysteryos我完全同意 - 當然,任何對不存在路線的要求都應該完全忽略?對於不存在且不是Laravel路由的請求的默認行爲應該是404. – BrynJ

+0

它們不是404,因爲在路由請求之前應用全局中間件,請參閱:https://github.com/laravel/framework/pull/9708 。登錄到此gem:http://laravel.com/docs/5.1/errors#report-method 您可以排除CSRF錯誤記錄。 – Mysteryos

相關問題

 相關問題