diff options
author | Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com> | 2018-05-22 02:09:48 +0300 |
---|---|---|
committer | Lauris BH <lauris@nix.lv> | 2018-05-22 02:09:48 +0300 |
commit | ee878e3951d059363a1538a94d14576af8e7f83c (patch) | |
tree | d9c84611272ea3651b40609cc0c51541e4e652b9 | |
parent | 31067c0a890cdbf81ea1c696601995f1806ce3a8 (diff) | |
download | gitea-ee878e3951d059363a1538a94d14576af8e7f83c.tar.gz gitea-ee878e3951d059363a1538a94d14576af8e7f83c.zip |
Support secure cookie for csrf-token (#3839)
* dep: Update github.com/go-macaron/csrf
Update github.com/go-macaron/csrf with dep to revision 503617c6b372
to fix issue of csrf-token security.
This update includes following commits:
- Add support for the Cookie HttpOnly flag
- Support secure mode for csrf cookie
Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>
* routers: set csrf-token security depending on COOKIE_SECURE
Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>
-rw-r--r-- | Gopkg.lock | 3 | ||||
-rw-r--r-- | routers/routes/routes.go | 1 | ||||
-rw-r--r-- | vendor/github.com/go-macaron/csrf/csrf.go | 25 |
3 files changed, 21 insertions, 8 deletions
diff --git a/Gopkg.lock b/Gopkg.lock index 147b63fdda..9e1adb1947 100644 --- a/Gopkg.lock +++ b/Gopkg.lock @@ -254,9 +254,10 @@ revision = "8aa5919789ab301e865595eb4b1114d6b9847deb" [[projects]] + branch = "master" name = "github.com/go-macaron/csrf" packages = ["."] - revision = "6a9a7df172cc1fcd81e4585f44b09200b6087cc0" + revision = "503617c6b37257a55dff6293ec28556506c3a9a8" [[projects]] branch = "master" diff --git a/routers/routes/routes.go b/routers/routes/routes.go index 1585a0876d..cb9fbb16aa 100644 --- a/routers/routes/routes.go +++ b/routers/routes/routes.go @@ -119,6 +119,7 @@ func NewMacaron() *macaron.Macaron { Secret: setting.SecretKey, Cookie: setting.CSRFCookieName, SetCookie: true, + Secure: setting.SessionConfig.Secure, Header: "X-Csrf-Token", CookiePath: setting.AppSubURL, })) diff --git a/vendor/github.com/go-macaron/csrf/csrf.go b/vendor/github.com/go-macaron/csrf/csrf.go index affc95abfd..19c9b479fa 100644 --- a/vendor/github.com/go-macaron/csrf/csrf.go +++ b/vendor/github.com/go-macaron/csrf/csrf.go @@ -41,6 +41,8 @@ type CSRF interface { GetCookieName() string // Return cookie path GetCookiePath() string + // Return the flag value used for the csrf token. + GetCookieHttpOnly() bool // Return the token. GetToken() string // Validate by token. @@ -58,6 +60,8 @@ type csrf struct { Cookie string //Cookie path CookiePath string + // Cookie HttpOnly flag value used for the csrf token. + CookieHttpOnly bool // Token generated to pass via header, cookie, or hidden form value. Token string // This value must be unique per user. @@ -88,6 +92,11 @@ func (c *csrf) GetCookiePath() string { return c.CookiePath } +// GetCookieHttpOnly returns the flag value used for the csrf token. +func (c *csrf) GetCookieHttpOnly() bool { + return c.CookieHttpOnly +} + // GetToken returns the current token. This is typically used // to populate a hidden form in an HTML template. func (c *csrf) GetToken() string { @@ -116,6 +125,7 @@ type Options struct { Cookie string // Cookie path. CookiePath string + CookieHttpOnly bool // Key used for getting the unique ID per user. SessionKey string // oldSeesionKey saves old value corresponding to SessionKey. @@ -173,12 +183,13 @@ func Generate(options ...Options) macaron.Handler { opt := prepareOptions(options) return func(ctx *macaron.Context, sess session.Store) { x := &csrf{ - Secret: opt.Secret, - Header: opt.Header, - Form: opt.Form, - Cookie: opt.Cookie, - CookiePath: opt.CookiePath, - ErrorFunc: opt.ErrorFunc, + Secret: opt.Secret, + Header: opt.Header, + Form: opt.Form, + Cookie: opt.Cookie, + CookiePath: opt.CookiePath, + CookieHttpOnly: opt.CookieHttpOnly, + ErrorFunc: opt.ErrorFunc, } ctx.MapTo(x, (*CSRF)(nil)) @@ -211,7 +222,7 @@ func Generate(options ...Options) macaron.Handler { // FIXME: actionId. x.Token = GenerateToken(x.Secret, x.ID, "POST") if opt.SetCookie { - ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", false, true, time.Now().AddDate(0, 0, 1)) + ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", opt.Secure, opt.CookieHttpOnly, time.Now().AddDate(0, 0, 1)) } } |