mirror of https://github.com/go-gitea/gitea.git
Support secure cookie for csrf-token (#3839)
* dep: Update github.com/go-macaron/csrf Update github.com/go-macaron/csrf with dep to revision 503617c6b372 to fix issue of csrf-token security. This update includes following commits: - Add support for the Cookie HttpOnly flag - Support secure mode for csrf cookie Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com> * routers: set csrf-token security depending on COOKIE_SECURE Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>
This commit is contained in:
parent
31067c0a89
commit
ee878e3951
|
@ -254,9 +254,10 @@
|
||||||
revision = "8aa5919789ab301e865595eb4b1114d6b9847deb"
|
revision = "8aa5919789ab301e865595eb4b1114d6b9847deb"
|
||||||
|
|
||||||
[[projects]]
|
[[projects]]
|
||||||
|
branch = "master"
|
||||||
name = "github.com/go-macaron/csrf"
|
name = "github.com/go-macaron/csrf"
|
||||||
packages = ["."]
|
packages = ["."]
|
||||||
revision = "6a9a7df172cc1fcd81e4585f44b09200b6087cc0"
|
revision = "503617c6b37257a55dff6293ec28556506c3a9a8"
|
||||||
|
|
||||||
[[projects]]
|
[[projects]]
|
||||||
branch = "master"
|
branch = "master"
|
||||||
|
|
|
@ -119,6 +119,7 @@ func NewMacaron() *macaron.Macaron {
|
||||||
Secret: setting.SecretKey,
|
Secret: setting.SecretKey,
|
||||||
Cookie: setting.CSRFCookieName,
|
Cookie: setting.CSRFCookieName,
|
||||||
SetCookie: true,
|
SetCookie: true,
|
||||||
|
Secure: setting.SessionConfig.Secure,
|
||||||
Header: "X-Csrf-Token",
|
Header: "X-Csrf-Token",
|
||||||
CookiePath: setting.AppSubURL,
|
CookiePath: setting.AppSubURL,
|
||||||
}))
|
}))
|
||||||
|
|
|
@ -41,6 +41,8 @@ type CSRF interface {
|
||||||
GetCookieName() string
|
GetCookieName() string
|
||||||
// Return cookie path
|
// Return cookie path
|
||||||
GetCookiePath() string
|
GetCookiePath() string
|
||||||
|
// Return the flag value used for the csrf token.
|
||||||
|
GetCookieHttpOnly() bool
|
||||||
// Return the token.
|
// Return the token.
|
||||||
GetToken() string
|
GetToken() string
|
||||||
// Validate by token.
|
// Validate by token.
|
||||||
|
@ -58,6 +60,8 @@ type csrf struct {
|
||||||
Cookie string
|
Cookie string
|
||||||
//Cookie path
|
//Cookie path
|
||||||
CookiePath string
|
CookiePath string
|
||||||
|
// Cookie HttpOnly flag value used for the csrf token.
|
||||||
|
CookieHttpOnly bool
|
||||||
// Token generated to pass via header, cookie, or hidden form value.
|
// Token generated to pass via header, cookie, or hidden form value.
|
||||||
Token string
|
Token string
|
||||||
// This value must be unique per user.
|
// This value must be unique per user.
|
||||||
|
@ -88,6 +92,11 @@ func (c *csrf) GetCookiePath() string {
|
||||||
return c.CookiePath
|
return c.CookiePath
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetCookieHttpOnly returns the flag value used for the csrf token.
|
||||||
|
func (c *csrf) GetCookieHttpOnly() bool {
|
||||||
|
return c.CookieHttpOnly
|
||||||
|
}
|
||||||
|
|
||||||
// GetToken returns the current token. This is typically used
|
// GetToken returns the current token. This is typically used
|
||||||
// to populate a hidden form in an HTML template.
|
// to populate a hidden form in an HTML template.
|
||||||
func (c *csrf) GetToken() string {
|
func (c *csrf) GetToken() string {
|
||||||
|
@ -116,6 +125,7 @@ type Options struct {
|
||||||
Cookie string
|
Cookie string
|
||||||
// Cookie path.
|
// Cookie path.
|
||||||
CookiePath string
|
CookiePath string
|
||||||
|
CookieHttpOnly bool
|
||||||
// Key used for getting the unique ID per user.
|
// Key used for getting the unique ID per user.
|
||||||
SessionKey string
|
SessionKey string
|
||||||
// oldSeesionKey saves old value corresponding to SessionKey.
|
// oldSeesionKey saves old value corresponding to SessionKey.
|
||||||
|
@ -178,6 +188,7 @@ func Generate(options ...Options) macaron.Handler {
|
||||||
Form: opt.Form,
|
Form: opt.Form,
|
||||||
Cookie: opt.Cookie,
|
Cookie: opt.Cookie,
|
||||||
CookiePath: opt.CookiePath,
|
CookiePath: opt.CookiePath,
|
||||||
|
CookieHttpOnly: opt.CookieHttpOnly,
|
||||||
ErrorFunc: opt.ErrorFunc,
|
ErrorFunc: opt.ErrorFunc,
|
||||||
}
|
}
|
||||||
ctx.MapTo(x, (*CSRF)(nil))
|
ctx.MapTo(x, (*CSRF)(nil))
|
||||||
|
@ -211,7 +222,7 @@ func Generate(options ...Options) macaron.Handler {
|
||||||
// FIXME: actionId.
|
// FIXME: actionId.
|
||||||
x.Token = GenerateToken(x.Secret, x.ID, "POST")
|
x.Token = GenerateToken(x.Secret, x.ID, "POST")
|
||||||
if opt.SetCookie {
|
if opt.SetCookie {
|
||||||
ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", false, true, time.Now().AddDate(0, 0, 1))
|
ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", opt.Secure, opt.CookieHttpOnly, time.Now().AddDate(0, 0, 1))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue