Support secure cookie for csrf-token (#3839)
* dep: Update github.com/go-macaron/csrf Update github.com/go-macaron/csrf with dep to revision 503617c6b372 to fix issue of csrf-token security. This update includes following commits: - Add support for the Cookie HttpOnly flag - Support secure mode for csrf cookie Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com> * routers: set csrf-token security depending on COOKIE_SECURE Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>release/v1.15
parent
31067c0a89
commit
ee878e3951
|
@ -254,9 +254,10 @@
|
|||
revision = "8aa5919789ab301e865595eb4b1114d6b9847deb"
|
||||
|
||||
[[projects]]
|
||||
branch = "master"
|
||||
name = "github.com/go-macaron/csrf"
|
||||
packages = ["."]
|
||||
revision = "6a9a7df172cc1fcd81e4585f44b09200b6087cc0"
|
||||
revision = "503617c6b37257a55dff6293ec28556506c3a9a8"
|
||||
|
||||
[[projects]]
|
||||
branch = "master"
|
||||
|
|
|
@ -119,6 +119,7 @@ func NewMacaron() *macaron.Macaron {
|
|||
Secret: setting.SecretKey,
|
||||
Cookie: setting.CSRFCookieName,
|
||||
SetCookie: true,
|
||||
Secure: setting.SessionConfig.Secure,
|
||||
Header: "X-Csrf-Token",
|
||||
CookiePath: setting.AppSubURL,
|
||||
}))
|
||||
|
|
|
@ -41,6 +41,8 @@ type CSRF interface {
|
|||
GetCookieName() string
|
||||
// Return cookie path
|
||||
GetCookiePath() string
|
||||
// Return the flag value used for the csrf token.
|
||||
GetCookieHttpOnly() bool
|
||||
// Return the token.
|
||||
GetToken() string
|
||||
// Validate by token.
|
||||
|
@ -58,6 +60,8 @@ type csrf struct {
|
|||
Cookie string
|
||||
//Cookie path
|
||||
CookiePath string
|
||||
// Cookie HttpOnly flag value used for the csrf token.
|
||||
CookieHttpOnly bool
|
||||
// Token generated to pass via header, cookie, or hidden form value.
|
||||
Token string
|
||||
// This value must be unique per user.
|
||||
|
@ -88,6 +92,11 @@ func (c *csrf) GetCookiePath() string {
|
|||
return c.CookiePath
|
||||
}
|
||||
|
||||
// GetCookieHttpOnly returns the flag value used for the csrf token.
|
||||
func (c *csrf) GetCookieHttpOnly() bool {
|
||||
return c.CookieHttpOnly
|
||||
}
|
||||
|
||||
// GetToken returns the current token. This is typically used
|
||||
// to populate a hidden form in an HTML template.
|
||||
func (c *csrf) GetToken() string {
|
||||
|
@ -116,6 +125,7 @@ type Options struct {
|
|||
Cookie string
|
||||
// Cookie path.
|
||||
CookiePath string
|
||||
CookieHttpOnly bool
|
||||
// Key used for getting the unique ID per user.
|
||||
SessionKey string
|
||||
// oldSeesionKey saves old value corresponding to SessionKey.
|
||||
|
@ -173,12 +183,13 @@ func Generate(options ...Options) macaron.Handler {
|
|||
opt := prepareOptions(options)
|
||||
return func(ctx *macaron.Context, sess session.Store) {
|
||||
x := &csrf{
|
||||
Secret: opt.Secret,
|
||||
Header: opt.Header,
|
||||
Form: opt.Form,
|
||||
Cookie: opt.Cookie,
|
||||
CookiePath: opt.CookiePath,
|
||||
ErrorFunc: opt.ErrorFunc,
|
||||
Secret: opt.Secret,
|
||||
Header: opt.Header,
|
||||
Form: opt.Form,
|
||||
Cookie: opt.Cookie,
|
||||
CookiePath: opt.CookiePath,
|
||||
CookieHttpOnly: opt.CookieHttpOnly,
|
||||
ErrorFunc: opt.ErrorFunc,
|
||||
}
|
||||
ctx.MapTo(x, (*CSRF)(nil))
|
||||
|
||||
|
@ -211,7 +222,7 @@ func Generate(options ...Options) macaron.Handler {
|
|||
// FIXME: actionId.
|
||||
x.Token = GenerateToken(x.Secret, x.ID, "POST")
|
||||
if opt.SetCookie {
|
||||
ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", false, true, time.Now().AddDate(0, 0, 1))
|
||||
ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", opt.Secure, opt.CookieHttpOnly, time.Now().AddDate(0, 0, 1))
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue