summaryrefslogtreecommitdiffstats
path: root/modules
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2018-11-04 15:42:15 +0000
committertechknowlogick <hello@techknowlogick.com>2018-11-04 10:42:15 -0500
commitc0bbbdd30b8161e34d34b9aaf398fd050a16f254 (patch)
tree59a762a2b41ef4e4dda54f28210684023a5db4b6 /modules
parentf95c9667707376626f810abbb2e738e766003185 (diff)
downloadgitea-c0bbbdd30b8161e34d34b9aaf398fd050a16f254.tar.gz
gitea-c0bbbdd30b8161e34d34b9aaf398fd050a16f254.zip
Backport #5250 on v1.6: Fix Issue 5249 and protect /api/v1/admin routes with CSRF token (#5272)
* Add CSRF checking to reqToken and place CSRF in the post for deadline creation Fixes #5226, #5249 * /api/v1/admin/users routes should have reqToken middleware
Diffstat (limited to 'modules')
-rw-r--r--modules/context/api.go13
1 files changed, 13 insertions, 0 deletions
diff --git a/modules/context/api.go b/modules/context/api.go
index 0bf4307726..6a9c792370 100644
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -8,6 +8,8 @@ import (
"fmt"
"strings"
+ "github.com/go-macaron/csrf"
+
"code.gitea.io/git"
"code.gitea.io/gitea/models"
"code.gitea.io/gitea/modules/base"
@@ -97,6 +99,17 @@ func (ctx *APIContext) SetLinkHeader(total, pageSize int) {
}
}
+// RequireCSRF requires a validated a CSRF token
+func (ctx *APIContext) RequireCSRF() {
+ headerToken := ctx.Req.Header.Get(ctx.csrf.GetHeaderName())
+ formValueToken := ctx.Req.FormValue(ctx.csrf.GetFormName())
+ if len(headerToken) > 0 || len(formValueToken) > 0 {
+ csrf.Validate(ctx.Context.Context, ctx.csrf)
+ } else {
+ ctx.Context.Error(401)
+ }
+}
+
// APIContexter returns apicontext as macaron middleware
func APIContexter() macaron.Handler {
return func(c *Context) {