1
0
mirror of https://github.com/astaxie/beego.git synced 2024-11-26 03:01:28 +00:00

fix #26 add xsrf function

This commit is contained in:
astaxie 2013-07-08 16:17:08 +08:00
parent f1e5059682
commit d2a16ff8f6
4 changed files with 65 additions and 7 deletions

View File

@ -44,6 +44,7 @@ var (
EnbaleHotUpdate bool //enable HotUpdate default is false EnbaleHotUpdate bool //enable HotUpdate default is false
HttpServerTimeOut int64 HttpServerTimeOut int64
ErrorsShow bool ErrorsShow bool
XSRFKEY string
) )
func init() { func init() {
@ -72,6 +73,7 @@ func init() {
AppConfigPath = path.Join(AppPath, "conf", "app.conf") AppConfigPath = path.Join(AppPath, "conf", "app.conf")
HttpServerTimeOut = 0 HttpServerTimeOut = 0
ErrorsShow = true ErrorsShow = true
XSRFKEY = "beegoxsrf"
ParseConfig() ParseConfig()
} }

View File

@ -186,6 +186,9 @@ func ParseConfig() (err error) {
if errorsshow, err := AppConfig.Bool("errorsshow"); err == nil { if errorsshow, err := AppConfig.Bool("errorsshow"); err == nil {
ErrorsShow = errorsshow ErrorsShow = errorsshow
} }
if xsrfkey := AppConfig.String("xsrfkey"); xsrfkey != "" {
XSRFKEY = xsrfkey
}
} }
return nil return nil
} }

View File

@ -101,3 +101,11 @@ var cookieValueSanitizer = strings.NewReplacer("\n", " ", "\r", " ", ";", " ")
func sanitizeValue(v string) string { func sanitizeValue(v string) string {
return cookieValueSanitizer.Replace(v) return cookieValueSanitizer.Replace(v)
} }
func (ctx *Context) GetCookie(key string) string {
keycookie, err := ctx.Request.Cookie(key)
if err != nil {
return ""
}
return keycookie.Value
}

View File

@ -4,9 +4,13 @@ import (
"bytes" "bytes"
"compress/gzip" "compress/gzip"
"compress/zlib" "compress/zlib"
"crypto/hmac"
"crypto/sha1"
"encoding/base64"
"encoding/json" "encoding/json"
"encoding/xml" "encoding/xml"
"errors" "errors"
"fmt"
"github.com/astaxie/beego/session" "github.com/astaxie/beego/session"
"html/template" "html/template"
"io" "io"
@ -18,6 +22,7 @@ import (
"path" "path"
"strconv" "strconv"
"strings" "strings"
"time"
) )
type Controller struct { type Controller struct {
@ -27,6 +32,7 @@ type Controller struct {
TplNames string TplNames string
Layout string Layout string
TplExt string TplExt string
_xsrf_token string
CruSession session.SessionStore CruSession session.SessionStore
} }
@ -331,3 +337,42 @@ func (c *Controller) DelSession(name interface{}) {
func (c *Controller) IsAjax() bool { func (c *Controller) IsAjax() bool {
return (c.Ctx.Request.Header.Get("HTTP_X_REQUESTED_WITH") == "XMLHttpRequest") return (c.Ctx.Request.Header.Get("HTTP_X_REQUESTED_WITH") == "XMLHttpRequest")
} }
func (c *Controller) XsrfToken() string {
if c._xsrf_token == "" {
token := c.Ctx.GetCookie("_xsrf")
if token == "" {
h := hmac.New(sha1.New, []byte(XSRFKEY))
fmt.Fprintf(h, "%s:%d", c.Ctx.Request.RemoteAddr, time.Now().UnixNano())
tok := fmt.Sprintf("%s:%d", h.Sum(nil), time.Now().UnixNano())
token := base64.URLEncoding.EncodeToString([]byte(tok))
c.Ctx.SetCookie("_xsrf", token)
}
c._xsrf_token = token
}
return c._xsrf_token
}
func (c *Controller) CheckXsrfCookie() bool {
token := c.GetString("_xsrf")
if token == "" {
token = c.Ctx.Request.Header.Get("X-Xsrftoken")
}
if token == "" {
token = c.Ctx.Request.Header.Get("X-Csrftoken")
}
if token == "" {
c.Ctx.Abort(403, "'_xsrf' argument missing from POST")
}
if c._xsrf_token != token {
c.Ctx.Abort(403, "XSRF cookie does not match POST argument")
}
return true
}
func (c *Controller) XsrfFormHtml() string {
return "<input type=\"hidden\" name=\"_xsrf\" value=\"" +
c._xsrf_token + "\"/>"
}