diff options
| author | Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com> | 2018-05-22 02:09:48 +0300 |
|---|---|---|
| committer | Lauris BH <lauris@nix.lv> | 2018-05-22 02:09:48 +0300 |
| commit | ee878e3951d059363a1538a94d14576af8e7f83c (patch) | |
| tree | d9c84611272ea3651b40609cc0c51541e4e652b9 /vendor/github.com | |
| parent | 31067c0a890cdbf81ea1c696601995f1806ce3a8 (diff) | |
| download | gitea-ee878e3951d059363a1538a94d14576af8e7f83c.tar.gz gitea-ee878e3951d059363a1538a94d14576af8e7f83c.zip | |
Support secure cookie for csrf-token (#3839)
* dep: Update github.com/go-macaron/csrf
Update github.com/go-macaron/csrf with dep to revision 503617c6b372
to fix issue of csrf-token security.
This update includes following commits:
- Add support for the Cookie HttpOnly flag
- Support secure mode for csrf cookie
Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>
* routers: set csrf-token security depending on COOKIE_SECURE
Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>
Diffstat (limited to 'vendor/github.com')
| -rw-r--r-- | vendor/github.com/go-macaron/csrf/csrf.go | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/vendor/github.com/go-macaron/csrf/csrf.go b/vendor/github.com/go-macaron/csrf/csrf.go index affc95abfd..19c9b479fa 100644 --- a/vendor/github.com/go-macaron/csrf/csrf.go +++ b/vendor/github.com/go-macaron/csrf/csrf.go @@ -41,6 +41,8 @@ type CSRF interface { GetCookieName() string // Return cookie path GetCookiePath() string + // Return the flag value used for the csrf token. + GetCookieHttpOnly() bool // Return the token. GetToken() string // Validate by token. @@ -58,6 +60,8 @@ type csrf struct { Cookie string //Cookie path CookiePath string + // Cookie HttpOnly flag value used for the csrf token. + CookieHttpOnly bool // Token generated to pass via header, cookie, or hidden form value. Token string // This value must be unique per user. @@ -88,6 +92,11 @@ func (c *csrf) GetCookiePath() string { return c.CookiePath } +// GetCookieHttpOnly returns the flag value used for the csrf token. +func (c *csrf) GetCookieHttpOnly() bool { + return c.CookieHttpOnly +} + // GetToken returns the current token. This is typically used // to populate a hidden form in an HTML template. func (c *csrf) GetToken() string { @@ -116,6 +125,7 @@ type Options struct { Cookie string // Cookie path. CookiePath string + CookieHttpOnly bool // Key used for getting the unique ID per user. SessionKey string // oldSeesionKey saves old value corresponding to SessionKey. @@ -173,12 +183,13 @@ func Generate(options ...Options) macaron.Handler { opt := prepareOptions(options) return func(ctx *macaron.Context, sess session.Store) { x := &csrf{ - Secret: opt.Secret, - Header: opt.Header, - Form: opt.Form, - Cookie: opt.Cookie, - CookiePath: opt.CookiePath, - ErrorFunc: opt.ErrorFunc, + Secret: opt.Secret, + Header: opt.Header, + Form: opt.Form, + Cookie: opt.Cookie, + CookiePath: opt.CookiePath, + CookieHttpOnly: opt.CookieHttpOnly, + ErrorFunc: opt.ErrorFunc, } ctx.MapTo(x, (*CSRF)(nil)) @@ -211,7 +222,7 @@ func Generate(options ...Options) macaron.Handler { // FIXME: actionId. x.Token = GenerateToken(x.Secret, x.ID, "POST") if opt.SetCookie { - ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", false, true, time.Now().AddDate(0, 0, 1)) + ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", opt.Secure, opt.CookieHttpOnly, time.Now().AddDate(0, 0, 1)) } } |