diff options
| author | zeripath <art27@cantab.net> | 2021-03-07 08:12:43 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-07 08:12:43 +0000 |
| commit | 9b261f52f074fcc11fd705dae63084364c4f7adf (patch) | |
| tree | 587521b6929105a76b288a962316504380c1c494 /modules/context/csrf.go | |
| parent | beed5476e2831f7a0943d484873f4f49dfdd256f (diff) | |
| download | gitea-9b261f52f074fcc11fd705dae63084364c4f7adf.tar.gz gitea-9b261f52f074fcc11fd705dae63084364c4f7adf.zip | |
Add SameSite setting for cookies (#14900)
Add SameSite setting for cookies and rationalise the cookie setting code. Switches SameSite to Lax by default.
There is a possible future extension of differentiating which cookies could be set at Strict by default but that is for a future PR.
Fix #5583
Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'modules/context/csrf.go')
| -rw-r--r-- | modules/context/csrf.go | 33 |
1 files changed, 27 insertions, 6 deletions
diff --git a/modules/context/csrf.go b/modules/context/csrf.go index 4a26664bf3..ba0e9f6cde 100644 --- a/modules/context/csrf.go +++ b/modules/context/csrf.go @@ -22,6 +22,8 @@ import ( "net/http" "time" + "code.gitea.io/gitea/modules/web/middleware" + "github.com/unknwon/com" ) @@ -37,6 +39,8 @@ type CSRF interface { GetCookiePath() string // Return the flag value used for the csrf token. GetCookieHTTPOnly() bool + // Return cookie domain + GetCookieDomain() string // Return the token. GetToken() string // Validate by token. @@ -93,6 +97,11 @@ func (c *csrf) GetCookieHTTPOnly() bool { return c.CookieHTTPOnly } +// GetCookieDomain returns the flag value used for the csrf token. +func (c *csrf) GetCookieDomain() string { + return c.CookieDomain +} + // GetToken returns the current token. This is typically used // to populate a hidden form in an HTML template. func (c *csrf) GetToken() string { @@ -227,10 +236,14 @@ func Csrfer(opt CsrfOptions, ctx *Context) CSRF { if opt.CookieLifeTime == 0 { expires = time.Now().AddDate(0, 0, 1) } - ctx.SetCookie(opt.Cookie, x.Token, opt.CookieLifeTime, opt.CookiePath, opt.CookieDomain, opt.Secure, opt.CookieHTTPOnly, expires, - func(c *http.Cookie) { - c.SameSite = opt.SameSite - }, + middleware.SetCookie(ctx.Resp, opt.Cookie, x.Token, + opt.CookieLifeTime, + opt.CookiePath, + opt.CookieDomain, + opt.Secure, + opt.CookieHTTPOnly, + expires, + middleware.SameSite(opt.SameSite), ) } } @@ -248,14 +261,22 @@ func Csrfer(opt CsrfOptions, ctx *Context) CSRF { func Validate(ctx *Context, x CSRF) { if token := ctx.Req.Header.Get(x.GetHeaderName()); len(token) > 0 { if !x.ValidToken(token) { - ctx.SetCookie(x.GetCookieName(), "", -1, x.GetCookiePath()) + // Delete the cookie + middleware.SetCookie(ctx.Resp, x.GetCookieName(), "", + -1, + x.GetCookiePath(), + x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too? x.Error(ctx.Resp) } return } if token := ctx.Req.FormValue(x.GetFormName()); len(token) > 0 { if !x.ValidToken(token) { - ctx.SetCookie(x.GetCookieName(), "", -1, x.GetCookiePath()) + // Delete the cookie + middleware.SetCookie(ctx.Resp, x.GetCookieName(), "", + -1, + x.GetCookiePath(), + x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too? x.Error(ctx.Resp) } return |