aboutsummaryrefslogtreecommitdiffstats
path: root/modules/context/csrf.go
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2021-07-08 14:57:24 +0100
committerGitHub <noreply@github.com>2021-07-08 15:57:24 +0200
commitd06f9ce27452ec0b80d548242bf59d65f89952bf (patch)
tree4aa1997f067b0fa420aee731eb40bddbdfd1a5a8 /modules/context/csrf.go
parentfc1607b3686a5c8c79b9a7853c065a68dcd5218b (diff)
downloadgitea-d06f9ce27452ec0b80d548242bf59d65f89952bf.tar.gz
gitea-d06f9ce27452ec0b80d548242bf59d65f89952bf.zip
Redirect on bad CSRF instead of presenting bad page (#14937)
The current CSRF handler is a bit harsh with bad CSRF tokens on webpages I think we can be a little kinder and redirect to base page with a flash error Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'modules/context/csrf.go')
-rw-r--r--modules/context/csrf.go23
1 files changed, 19 insertions, 4 deletions
diff --git a/modules/context/csrf.go b/modules/context/csrf.go
index ba0e9f6cde..8d179ca904 100644
--- a/modules/context/csrf.go
+++ b/modules/context/csrf.go
@@ -22,6 +22,7 @@ import (
"net/http"
"time"
+ "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/web/middleware"
"github.com/unknwon/com"
@@ -266,7 +267,12 @@ func Validate(ctx *Context, x CSRF) {
-1,
x.GetCookiePath(),
x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
- x.Error(ctx.Resp)
+ if middleware.IsAPIPath(ctx.Req) {
+ x.Error(ctx.Resp)
+ return
+ }
+ ctx.Flash.Error(ctx.Tr("error.invalid_csrf"))
+ ctx.Redirect(setting.AppSubURL + "/")
}
return
}
@@ -277,10 +283,19 @@ func Validate(ctx *Context, x CSRF) {
-1,
x.GetCookiePath(),
x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
- x.Error(ctx.Resp)
+ if middleware.IsAPIPath(ctx.Req) {
+ x.Error(ctx.Resp)
+ return
+ }
+ ctx.Flash.Error(ctx.Tr("error.invalid_csrf"))
+ ctx.Redirect(setting.AppSubURL + "/")
}
return
}
-
- http.Error(ctx.Resp, "Bad Request: no CSRF token present", http.StatusBadRequest)
+ if middleware.IsAPIPath(ctx.Req) {
+ http.Error(ctx.Resp, "Bad Request: no CSRF token present", http.StatusBadRequest)
+ return
+ }
+ ctx.Flash.Error(ctx.Tr("error.missing_csrf"))
+ ctx.Redirect(setting.AppSubURL + "/")
}