diff options
author | zeripath <art27@cantab.net> | 2021-07-08 14:57:24 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-07-08 15:57:24 +0200 |
commit | d06f9ce27452ec0b80d548242bf59d65f89952bf (patch) | |
tree | 4aa1997f067b0fa420aee731eb40bddbdfd1a5a8 /modules/context/csrf.go | |
parent | fc1607b3686a5c8c79b9a7853c065a68dcd5218b (diff) | |
download | gitea-d06f9ce27452ec0b80d548242bf59d65f89952bf.tar.gz gitea-d06f9ce27452ec0b80d548242bf59d65f89952bf.zip |
Redirect on bad CSRF instead of presenting bad page (#14937)
The current CSRF handler is a bit harsh with bad CSRF tokens on webpages
I think we can be a little kinder and redirect to base page with a flash error
Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'modules/context/csrf.go')
-rw-r--r-- | modules/context/csrf.go | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/modules/context/csrf.go b/modules/context/csrf.go index ba0e9f6cde..8d179ca904 100644 --- a/modules/context/csrf.go +++ b/modules/context/csrf.go @@ -22,6 +22,7 @@ import ( "net/http" "time" + "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/web/middleware" "github.com/unknwon/com" @@ -266,7 +267,12 @@ func Validate(ctx *Context, x CSRF) { -1, x.GetCookiePath(), x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too? - x.Error(ctx.Resp) + if middleware.IsAPIPath(ctx.Req) { + x.Error(ctx.Resp) + return + } + ctx.Flash.Error(ctx.Tr("error.invalid_csrf")) + ctx.Redirect(setting.AppSubURL + "/") } return } @@ -277,10 +283,19 @@ func Validate(ctx *Context, x CSRF) { -1, x.GetCookiePath(), x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too? - x.Error(ctx.Resp) + if middleware.IsAPIPath(ctx.Req) { + x.Error(ctx.Resp) + return + } + ctx.Flash.Error(ctx.Tr("error.invalid_csrf")) + ctx.Redirect(setting.AppSubURL + "/") } return } - - http.Error(ctx.Resp, "Bad Request: no CSRF token present", http.StatusBadRequest) + if middleware.IsAPIPath(ctx.Req) { + http.Error(ctx.Resp, "Bad Request: no CSRF token present", http.StatusBadRequest) + return + } + ctx.Flash.Error(ctx.Tr("error.missing_csrf")) + ctx.Redirect(setting.AppSubURL + "/") } |