rancher/norman
1
0
Fork 0
mirror of https://github.com/rancher/norman.git synced 2025-09-01 15:18:20 +00:00
Code Issues Releases Wiki Activity

CSRF Cookie fixes

Browse Source 
- Only set the cookie if it doesn't exist
- Always mark it secure (it was previously getting re-sent as not)
-.Check the value against the header even if there was no value (so that
a request that is missing the cookie but should have had one fails).
This commit is contained in:
Vincent Fiduccia
2020-02-24 15:50:44 -07:00
parent 9bd5ca9698
commit f894f8fc5d
1 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
api/validate.go
View File

@@ -61,11 +61,17 @@ func CheckCSRF(apiContext *types.APIContext) error {
cookie = &http.Cookie{ cookie = &http.Cookie{
Name: csrfCookie, Name: csrfCookie,
Value: hex.EncodeToString(bytes), Value: hex.EncodeToString(bytes),
Path: "/",
Secure: true, Secure: true,
} }
http.SetCookie(apiContext.Response, cookie)
} else if err != nil { } else if err != nil {
return httperror.NewAPIError(httperror.InvalidCSRFToken, "Failed to parse cookies") return httperror.NewAPIError(httperror.InvalidCSRFToken, "Failed to parse cookies")
} else if apiContext.Method != http.MethodGet { }
// Not an else-if, because this should happen even if there was no cookie to begin with.
if apiContext.Method != http.MethodGet {
/* /*
* Very important to use apiContext.Method and not apiContext.Request.Method. The client can override the HTTP method with _method * Very important to use apiContext.Method and not apiContext.Request.Method. The client can override the HTTP method with _method
*/ */
@@ -78,7 +84,5 @@ func CheckCSRF(apiContext *types.APIContext) error {
} }
} }
cookie.Path = "/"
http.SetCookie(apiContext.Response, cookie)
return nil return nil
} }