Support secure cookie for csrf-token (#3839)

* dep: Update github.com/go-macaron/csrf

Update github.com/go-macaron/csrf with dep to revision 503617c6b372
to fix issue of csrf-token security.

This update includes following commits:
- Add support for the Cookie HttpOnly flag
- Support secure mode for csrf cookie

Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>

* routers: set csrf-token security depending on COOKIE_SECURE

Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>
release/v1.15
Aleksandr Bulyshchenko 2018-05-22 02:09:48 +03:00 committed by Lauris BH
parent 31067c0a89
commit ee878e3951
3 changed files with 21 additions and 8 deletions

3
Gopkg.lock generated
View File

@ -254,9 +254,10 @@
revision = "8aa5919789ab301e865595eb4b1114d6b9847deb"
[[projects]]
branch = "master"
name = "github.com/go-macaron/csrf"
packages = ["."]
revision = "6a9a7df172cc1fcd81e4585f44b09200b6087cc0"
revision = "503617c6b37257a55dff6293ec28556506c3a9a8"
[[projects]]
branch = "master"

View File

@ -119,6 +119,7 @@ func NewMacaron() *macaron.Macaron {
Secret: setting.SecretKey,
Cookie: setting.CSRFCookieName,
SetCookie: true,
Secure: setting.SessionConfig.Secure,
Header: "X-Csrf-Token",
CookiePath: setting.AppSubURL,
}))

View File

@ -41,6 +41,8 @@ type CSRF interface {
GetCookieName() string
// Return cookie path
GetCookiePath() string
// Return the flag value used for the csrf token.
GetCookieHttpOnly() bool
// Return the token.
GetToken() string
// Validate by token.
@ -58,6 +60,8 @@ type csrf struct {
Cookie string
//Cookie path
CookiePath string
// Cookie HttpOnly flag value used for the csrf token.
CookieHttpOnly bool
// Token generated to pass via header, cookie, or hidden form value.
Token string
// This value must be unique per user.
@ -88,6 +92,11 @@ func (c *csrf) GetCookiePath() string {
return c.CookiePath
}
// GetCookieHttpOnly returns the flag value used for the csrf token.
func (c *csrf) GetCookieHttpOnly() bool {
return c.CookieHttpOnly
}
// GetToken returns the current token. This is typically used
// to populate a hidden form in an HTML template.
func (c *csrf) GetToken() string {
@ -116,6 +125,7 @@ type Options struct {
Cookie string
// Cookie path.
CookiePath string
CookieHttpOnly bool
// Key used for getting the unique ID per user.
SessionKey string
// oldSeesionKey saves old value corresponding to SessionKey.
@ -173,12 +183,13 @@ func Generate(options ...Options) macaron.Handler {
opt := prepareOptions(options)
return func(ctx *macaron.Context, sess session.Store) {
x := &csrf{
Secret: opt.Secret,
Header: opt.Header,
Form: opt.Form,
Cookie: opt.Cookie,
CookiePath: opt.CookiePath,
ErrorFunc: opt.ErrorFunc,
Secret: opt.Secret,
Header: opt.Header,
Form: opt.Form,
Cookie: opt.Cookie,
CookiePath: opt.CookiePath,
CookieHttpOnly: opt.CookieHttpOnly,
ErrorFunc: opt.ErrorFunc,
}
ctx.MapTo(x, (*CSRF)(nil))
@ -211,7 +222,7 @@ func Generate(options ...Options) macaron.Handler {
// FIXME: actionId.
x.Token = GenerateToken(x.Secret, x.ID, "POST")
if opt.SetCookie {
ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", false, true, time.Now().AddDate(0, 0, 1))
ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", opt.Secure, opt.CookieHttpOnly, time.Now().AddDate(0, 0, 1))
}
}