github/steve
1
0
Fork 0
mirror of https://github.com/niusmallnan/steve.git synced 2025-08-09 01:07:25 +00:00
Code Issues Projects Releases Wiki Activity

CSRF Cookie fixes

Browse Source 
- Only set the cookie if it doesn't exist
- Always mark it secure (it was previously getting re-sent as not)
- Check the value against the header even if there was no value (so that
a request that is missing the cookie but should have had one fails).
This commit is contained in:
Darren Shepherd 2020-02-26 12:35:24 -07:00
parent e2e87cda53
commit 0846768069
2 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/schemaserver/server/validate.go
View File

@ -56,7 +56,11 @@ func CheckCSRF(apiOp *types.APIRequest) error {
cookie = &http.Cookie{ cookie = &http.Cookie{
Name: csrfCookie, Name: csrfCookie,
Value: hex.EncodeToString(bytes), Value: hex.EncodeToString(bytes),
Path: "/",
Secure: true,
} }
http.SetCookie(apiContext.Response, cookie)
} else if err != nil { } else if err != nil {
return httperror.NewAPIError(validation.InvalidCSRFToken, "Failed to parse cookies") return httperror.NewAPIError(validation.InvalidCSRFToken, "Failed to parse cookies")
} else if apiOp.Method != http.MethodGet { } else if apiOp.Method != http.MethodGet {
@ -72,7 +76,5 @@ func CheckCSRF(apiOp *types.APIRequest) error {
} }
} }
cookie.Path = "/"
http.SetCookie(apiOp.Response, cookie)
return nil return nil
} }

3
pkg/schemaserver/subscribe/handler.go
View File

@ -4,10 +4,9 @@ import (
"encoding/json" "encoding/json"
"time" "time"
"github.com/rancher/wrangler/pkg/schemas/validation"
"github.com/gorilla/websocket" "github.com/gorilla/websocket"
"github.com/rancher/steve/pkg/schemaserver/types" "github.com/rancher/steve/pkg/schemaserver/types"
"github.com/rancher/wrangler/pkg/schemas/validation"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
) )