1
0
mirror of https://github.com/astaxie/beego.git synced 2024-12-22 10:40:49 +00:00

xsrf change to randstr and cookie set to security cookie

This commit is contained in:
astaxie 2013-09-25 23:05:47 +08:00
parent 2249d745d9
commit 93e1206d60
4 changed files with 138 additions and 9 deletions

View File

@ -67,7 +67,7 @@ func Run() {
}
if SessionOn {
GlobalSessions, _ = session.NewManager(SessionProvider, SessionName, SessionGCMaxLifetime, SessionSavePath)
GlobalSessions, _ = session.NewManager(SessionProvider, SessionName, SessionGCMaxLifetime, SessionSavePath, HttpTLS)
go GlobalSessions.GC()
}

View File

@ -304,21 +304,56 @@ func (c *Controller) IsAjax() bool {
return c.Ctx.Input.IsAjax()
}
func (c *Controller) GetSecureCookie(Secret, key string) (string, bool) {
val := c.Ctx.GetCookie(key)
if val == "" {
return "", false
}
parts := strings.SplitN(val, "|", 3)
vs := parts[0]
timestamp := parts[1]
sig := parts[2]
h := hmac.New(sha1.New, []byte(Secret))
fmt.Fprintf(h, "%s%s", vs, timestamp)
if fmt.Sprintf("%02x", h.Sum(nil)) != sig {
return "", false
}
ts, _ := strconv.ParseInt(timestamp, 0, 64)
buf := bytes.NewBufferString(val)
encoder := base64.NewDecoder(base64.StdEncoding, buf)
res, _ := ioutil.ReadAll(encoder)
return string(res), true
}
func (c *Controller) SetSecureCookie(Secret, name, val string, age int) {
vs := base64.URLEncoding.EncodeToString([]byte(val))
timestamp := strconv.FormatInt(time.Now().UnixNano(), 10)
h := hmac.New(sha1.New, []byte(Secret))
fmt.Fprintf(h, "%s%s", vs, timestamp)
sig := fmt.Sprintf("%02x", h.Sum(nil))
cookie := strings.Join([]string{vs, timestamp, sig}, "|")
c.Ctx.SetCookie(name, cookie, age, "/")
}
func (c *Controller) XsrfToken() string {
if c._xsrf_token == "" {
token := c.Ctx.GetCookie("_xsrf")
if token == "" {
h := hmac.New(sha1.New, []byte(XSRFKEY))
fmt.Fprintf(h, "%s:%d", c.Ctx.Request.RemoteAddr, time.Now().UnixNano())
tok := fmt.Sprintf("%s:%d", h.Sum(nil), time.Now().UnixNano())
token = base64.URLEncoding.EncodeToString([]byte(tok))
token, ok := c.GetSecureCookie(XSRFKEY, "_xsrf")
if !ok {
expire := 0
if c.XSRFExpire > 0 {
expire = c.XSRFExpire
} else {
expire = XSRFExpire
}
c.Ctx.SetCookie("_xsrf", token, expire, "/")
token = GetRandomString(15)
c.SetSecureCookie(XSRFKEY, "_xsrf", token, expire)
}
c._xsrf_token = token
}

View File

@ -1 +1,84 @@
package middleware
package middleware
//import (
// "github.com/astaxie/beego/config"
// "os"
// "path"
//)
//type Translation struct {
// filetype string
// CurrentLocal string
// Locales map[string]map[string]string
//}
//func NewLocale(filetype string) *Translation {
// return &Translation{
// filetype: filetype,
// CurrentLocal: "zh",
// Locales: make(map[string]map[string]string),
// }
//}
//func (t *Translation) loadTranslations(dirPath string) error {
// dir, err := os.Open(dirPath)
// if err != nil {
// return err
// }
// defer dir.Close()
// names, err := dir.Readdirnames(-1)
// if err != nil {
// return err
// }
// for _, name := range names {
// fullPath := path.Join(dirPath, name)
// fi, err := os.Stat(fullPath)
// if err != nil {
// return err
// }
// if fi.IsDir() {
// continue
// } else {
// if err := t.loadTranslation(fullPath, name); err != nil {
// return err
// }
// }
// }
// return nil
//}
//func (t *Translation) loadTranslation(fullPath, locale string) error {
// sourceKey2Trans, ok := t.Locales[locale]
// if !ok {
// sourceKey2Trans = make(map[string]string)
// t.Locales[locale] = sourceKey2Trans
// }
// for _, m := range trf.Messages {
// if m.Translation != "" {
// sourceKey2Trans[sourceKey(m.Source, m.Context)] = m.Translation
// }
// }
// return nil
//}
//func (t *Translation) SetLocale(local string) {
// t.CurrentLocal = local
//}
//func (t *Translation) Translate(key string) string {
// if ct, ok := t.Locales[t.CurrentLocal]; ok {
// if v, o := ct[key]; o {
// return v
// }
// }
// return key
//}

View File

@ -1,6 +1,7 @@
package beego
import (
"crypto/rand"
"fmt"
"html/template"
"net/url"
@ -362,3 +363,13 @@ func FileExists(path string) (bool, error) {
}
return false, err
}
func GetRandomString(n int) string {
const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
var bytes = make([]byte, n)
rand.Read(bytes)
for i, b := range bytes {
bytes[i] = alphanum[b%byte(len(alphanum))]
}
return string(bytes)
}