From f894f8fc5df2c9ef41b6807cc9ca3eacb09bc259 Mon Sep 17 00:00:00 2001
From: Vincent Fiduccia <vincent@rancher.com>
Date: Mon, 24 Feb 2020 15:50:44 -0700
Subject: [PATCH] CSRF Cookie fixes

- Only set the cookie if it doesn't exist
- Always mark it secure (it was previously getting re-sent as not)
-.Check the value against the header even if there was no value (so that
a request that is missing the cookie but should have had one fails).
---
 api/validate.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/api/validate.go b/api/validate.go
index 1e308b9a..65c7ace3 100644
--- a/api/validate.go
+++ b/api/validate.go
@@ -61,11 +61,17 @@ func CheckCSRF(apiContext *types.APIContext) error {
 		cookie = &http.Cookie{
 			Name:   csrfCookie,
 			Value:  hex.EncodeToString(bytes),
+			Path:   "/",
 			Secure: true,
 		}
+
+		http.SetCookie(apiContext.Response, cookie)
 	} else if err != nil {
 		return httperror.NewAPIError(httperror.InvalidCSRFToken, "Failed to parse cookies")
-	} else if apiContext.Method != http.MethodGet {
+	}
+
+	// Not an else-if, because this should happen even if there was no cookie to begin with.
+	if apiContext.Method != http.MethodGet {
 		/*
 		 * Very important to use apiContext.Method and not apiContext.Request.Method. The client can override the HTTP method with _method
 		 */
@@ -78,7 +84,5 @@ func CheckCSRF(apiContext *types.APIContext) error {
 		}
 	}
 
-	cookie.Path = "/"
-	http.SetCookie(apiContext.Response, cookie)
 	return nil
 }