Fix #5226 by adding CSRF checking to api reqToken and add CSRF to the POST header for deadline (#5250)

* Add CSRF checking to reqToken and place CSRF in the post for deadline creation Fixes #5226, #5249 * /api/v1/admin/users routes should have reqToken middleware
author: zeripath <art27@cantab.net> 2018-11-04 01:15:55 +0000
committer: techknowlogick <hello@techknowlogick.com> 2018-11-03 21:15:55 -0400
commit: 7096085f2b07246315e95e394b180ce9729efbb0 (patch)
tree: bd19725b9897567b5868d7edabe7a800da1899f4 /routers
parent: 57a8440db372d3b2a01d3ef12a4a560424a08657 (diff)
download: gitea-7096085f2b07246315e95e394b180ce9729efbb0.tar.gz
gitea-7096085f2b07246315e95e394b180ce9729efbb0.zip
1 files changed, 8 insertions, 4 deletions
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index b12cb1374a..a839ce8dc1 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -174,11 +174,15 @@ func repoAssignment() macaron.Handler {
 
 // Contexter middleware already checks token for user sign in process.
 func reqToken() macaron.Handler {
-	return func(ctx *context.Context) {
-		if true != ctx.Data["IsApiToken"] {
-			ctx.Error(401)
+	return func(ctx *context.APIContext) {
+		if true == ctx.Data["IsApiToken"] {
+			return
+		}
+		if ctx.IsSigned {
+			ctx.RequireCSRF()
 			return
 		}
+		ctx.Context.Error(401)
 	}
 }
 
@@ -635,7 +639,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 					m.Post("/repos", bind(api.CreateRepoOption{}), admin.CreateRepo)
 				})
 			})
-		}, reqAdmin())
+		}, reqToken(), reqAdmin())
 
 		m.Group("/topics", func() {
 			m.Get("/search", repo.TopicSearch)
author	zeripath <art27@cantab.net>	2018-11-04 01:15:55 +0000
committer	techknowlogick <hello@techknowlogick.com>	2018-11-03 21:15:55 -0400
commit	7096085f2b07246315e95e394b180ce9729efbb0 (patch)
tree	bd19725b9897567b5868d7edabe7a800da1899f4 /routers
parent	57a8440db372d3b2a01d3ef12a4a560424a08657 (diff)
download	gitea-7096085f2b07246315e95e394b180ce9729efbb0.tar.gz gitea-7096085f2b07246315e95e394b180ce9729efbb0.zip