diff options
author | zeripath <art27@cantab.net> | 2018-11-04 15:42:15 +0000 |
---|---|---|
committer | techknowlogick <hello@techknowlogick.com> | 2018-11-04 10:42:15 -0500 |
commit | c0bbbdd30b8161e34d34b9aaf398fd050a16f254 (patch) | |
tree | 59a762a2b41ef4e4dda54f28210684023a5db4b6 /modules | |
parent | f95c9667707376626f810abbb2e738e766003185 (diff) | |
download | gitea-c0bbbdd30b8161e34d34b9aaf398fd050a16f254.tar.gz gitea-c0bbbdd30b8161e34d34b9aaf398fd050a16f254.zip |
Backport #5250 on v1.6: Fix Issue 5249 and protect /api/v1/admin routes with CSRF token (#5272)
* Add CSRF checking to reqToken and place CSRF in the post for deadline creation
Fixes #5226, #5249
* /api/v1/admin/users routes should have reqToken middleware
Diffstat (limited to 'modules')
-rw-r--r-- | modules/context/api.go | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/modules/context/api.go b/modules/context/api.go index 0bf4307726..6a9c792370 100644 --- a/modules/context/api.go +++ b/modules/context/api.go @@ -8,6 +8,8 @@ import ( "fmt" "strings" + "github.com/go-macaron/csrf" + "code.gitea.io/git" "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/base" @@ -97,6 +99,17 @@ func (ctx *APIContext) SetLinkHeader(total, pageSize int) { } } +// RequireCSRF requires a validated a CSRF token +func (ctx *APIContext) RequireCSRF() { + headerToken := ctx.Req.Header.Get(ctx.csrf.GetHeaderName()) + formValueToken := ctx.Req.FormValue(ctx.csrf.GetFormName()) + if len(headerToken) > 0 || len(formValueToken) > 0 { + csrf.Validate(ctx.Context.Context, ctx.csrf) + } else { + ctx.Context.Error(401) + } +} + // APIContexter returns apicontext as macaron middleware func APIContexter() macaron.Handler { return func(c *Context) { |