From ee878e3951d059363a1538a94d14576af8e7f83c Mon Sep 17 00:00:00 2001
From: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>
Date: Tue, 22 May 2018 02:09:48 +0300
Subject: [PATCH] Support secure cookie for csrf-token (#3839)
* dep: Update github.com/go-macaron/csrf
Update github.com/go-macaron/csrf with dep to revision 503617c6b372
to fix issue of csrf-token security.
This update includes following commits:
- Add support for the Cookie HttpOnly flag
- Support secure mode for csrf cookie
Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>
* routers: set csrf-token security depending on COOKIE_SECURE
Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>
---
Gopkg.lock | 3 ++-
routers/routes/routes.go | 1 +
vendor/github.com/go-macaron/csrf/csrf.go | 25 ++++++++++++++++-------
3 files changed, 21 insertions(+), 8 deletions(-)
diff --git a/Gopkg.lock b/Gopkg.lock
index 147b63fdda..9e1adb1947 100644
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -254,9 +254,10 @@
revision = "8aa5919789ab301e865595eb4b1114d6b9847deb"
[[projects]]
+ branch = "master"
name = "github.com/go-macaron/csrf"
packages = ["."]
- revision = "6a9a7df172cc1fcd81e4585f44b09200b6087cc0"
+ revision = "503617c6b37257a55dff6293ec28556506c3a9a8"
[[projects]]
branch = "master"
diff --git a/routers/routes/routes.go b/routers/routes/routes.go
index 1585a0876d..cb9fbb16aa 100644
--- a/routers/routes/routes.go
+++ b/routers/routes/routes.go
@@ -119,6 +119,7 @@ func NewMacaron() *macaron.Macaron {
Secret: setting.SecretKey,
Cookie: setting.CSRFCookieName,
SetCookie: true,
+ Secure: setting.SessionConfig.Secure,
Header: "X-Csrf-Token",
CookiePath: setting.AppSubURL,
}))
diff --git a/vendor/github.com/go-macaron/csrf/csrf.go b/vendor/github.com/go-macaron/csrf/csrf.go
index affc95abfd..19c9b479fa 100644
--- a/vendor/github.com/go-macaron/csrf/csrf.go
+++ b/vendor/github.com/go-macaron/csrf/csrf.go
@@ -41,6 +41,8 @@ type CSRF interface {
GetCookieName() string
// Return cookie path
GetCookiePath() string
+ // Return the flag value used for the csrf token.
+ GetCookieHttpOnly() bool
// Return the token.
GetToken() string
// Validate by token.
@@ -58,6 +60,8 @@ type csrf struct {
Cookie string
//Cookie path
CookiePath string
+ // Cookie HttpOnly flag value used for the csrf token.
+ CookieHttpOnly bool
// Token generated to pass via header, cookie, or hidden form value.
Token string
// This value must be unique per user.
@@ -88,6 +92,11 @@ func (c *csrf) GetCookiePath() string {
return c.CookiePath
}
+// GetCookieHttpOnly returns the flag value used for the csrf token.
+func (c *csrf) GetCookieHttpOnly() bool {
+ return c.CookieHttpOnly
+}
+
// GetToken returns the current token. This is typically used
// to populate a hidden form in an HTML template.
func (c *csrf) GetToken() string {
@@ -116,6 +125,7 @@ type Options struct {
Cookie string
// Cookie path.
CookiePath string
+ CookieHttpOnly bool
// Key used for getting the unique ID per user.
SessionKey string
// oldSeesionKey saves old value corresponding to SessionKey.
@@ -173,12 +183,13 @@ func Generate(options ...Options) macaron.Handler {
opt := prepareOptions(options)
return func(ctx *macaron.Context, sess session.Store) {
x := &csrf{
- Secret: opt.Secret,
- Header: opt.Header,
- Form: opt.Form,
- Cookie: opt.Cookie,
- CookiePath: opt.CookiePath,
- ErrorFunc: opt.ErrorFunc,
+ Secret: opt.Secret,
+ Header: opt.Header,
+ Form: opt.Form,
+ Cookie: opt.Cookie,
+ CookiePath: opt.CookiePath,
+ CookieHttpOnly: opt.CookieHttpOnly,
+ ErrorFunc: opt.ErrorFunc,
}
ctx.MapTo(x, (*CSRF)(nil))
@@ -211,7 +222,7 @@ func Generate(options ...Options) macaron.Handler {
// FIXME: actionId.
x.Token = GenerateToken(x.Secret, x.ID, "POST")
if opt.SetCookie {
- ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", false, true, time.Now().AddDate(0, 0, 1))
+ ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", opt.Secure, opt.CookieHttpOnly, time.Now().AddDate(0, 0, 1))
}
}