From f5e2adb4275e19df543688c241d4d9030b8da01c Mon Sep 17 00:00:00 2001
From: Darren Shepherd <darren@rancher.com>
Date: Fri, 29 Dec 2017 15:04:12 -0700
Subject: [PATCH] Attempt to fix CSRF, still untested though

---
 api/server.go   |  2 +-
 api/validate.go | 16 ++++++++--------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/api/server.go b/api/server.go
index fb24a011..7af1487f 100644
--- a/api/server.go
+++ b/api/server.go
@@ -166,7 +166,7 @@ func (s *Server) handle(rw http.ResponseWriter, req *http.Request) (*types.APICo
 		return apiRequest, err
 	}
 
-	if err := CheckCSRF(rw, req); err != nil {
+	if err := CheckCSRF(apiRequest); err != nil {
 		return apiRequest, err
 	}
 
diff --git a/api/validate.go b/api/validate.go
index 9132a0b7..0a27d62a 100644
--- a/api/validate.go
+++ b/api/validate.go
@@ -45,12 +45,12 @@ func ValidateAction(request *types.APIContext) (*types.Action, error) {
 	return &action, nil
 }
 
-func CheckCSRF(rw http.ResponseWriter, req *http.Request) error {
-	if !parse.IsBrowser(req, false) {
+func CheckCSRF(apiContext *types.APIContext) error {
+	if !parse.IsBrowser(apiContext.Request, false) {
 		return nil
 	}
 
-	cookie, err := req.Cookie(csrfCookie)
+	cookie, err := apiContext.Request.Cookie(csrfCookie)
 	if err == http.ErrNoCookie {
 		bytes := make([]byte, 5)
 		_, err := rand.Read(bytes)
@@ -64,13 +64,13 @@ func CheckCSRF(rw http.ResponseWriter, req *http.Request) error {
 		}
 	} else if err != nil {
 		return httperror.NewAPIError(httperror.InvalidCSRFToken, "Failed to parse cookies")
-	} else if req.Method != http.MethodGet {
+	} else if apiContext.Method != http.MethodGet {
 		/*
-		 * Very important to use request.getMethod() and not httpRequest.getMethod(). The client can override the HTTP method with _method
+		 * Very important to use apiContext.Method and not apiContext.Request.Method. The client can override the HTTP method with _method
 		 */
-		if cookie.Value == req.Header.Get(csrfHeader) {
+		if cookie.Value == apiContext.Request.Header.Get(csrfHeader) {
 			// Good
-		} else if cookie.Value == req.URL.Query().Get(csrfCookie) {
+		} else if cookie.Value == apiContext.Request.URL.Query().Get(csrfCookie) {
 			// Good
 		} else {
 			return httperror.NewAPIError(httperror.InvalidCSRFToken, "Invalid CSRF token")
@@ -78,6 +78,6 @@ func CheckCSRF(rw http.ResponseWriter, req *http.Request) error {
 	}
 
 	cookie.Path = "/"
-	http.SetCookie(rw, cookie)
+	http.SetCookie(apiContext.Response, cookie)
 	return nil
 }