1
0
mirror of https://github.com/astaxie/beego.git synced 2024-11-25 17:10:54 +00:00

fix #26 add xsrf function

This commit is contained in:
astaxie 2013-07-08 16:17:08 +08:00
parent f1e5059682
commit d2a16ff8f6
4 changed files with 65 additions and 7 deletions

View File

@ -44,6 +44,7 @@ var (
EnbaleHotUpdate bool //enable HotUpdate default is false
HttpServerTimeOut int64
ErrorsShow bool
XSRFKEY string
)
func init() {
@ -72,6 +73,7 @@ func init() {
AppConfigPath = path.Join(AppPath, "conf", "app.conf")
HttpServerTimeOut = 0
ErrorsShow = true
XSRFKEY = "beegoxsrf"
ParseConfig()
}

View File

@ -186,6 +186,9 @@ func ParseConfig() (err error) {
if errorsshow, err := AppConfig.Bool("errorsshow"); err == nil {
ErrorsShow = errorsshow
}
if xsrfkey := AppConfig.String("xsrfkey"); xsrfkey != "" {
XSRFKEY = xsrfkey
}
}
return nil
}

View File

@ -101,3 +101,11 @@ var cookieValueSanitizer = strings.NewReplacer("\n", " ", "\r", " ", ";", " ")
func sanitizeValue(v string) string {
return cookieValueSanitizer.Replace(v)
}
func (ctx *Context) GetCookie(key string) string {
keycookie, err := ctx.Request.Cookie(key)
if err != nil {
return ""
}
return keycookie.Value
}

View File

@ -4,9 +4,13 @@ import (
"bytes"
"compress/gzip"
"compress/zlib"
"crypto/hmac"
"crypto/sha1"
"encoding/base64"
"encoding/json"
"encoding/xml"
"errors"
"fmt"
"github.com/astaxie/beego/session"
"html/template"
"io"
@ -18,6 +22,7 @@ import (
"path"
"strconv"
"strings"
"time"
)
type Controller struct {
@ -27,6 +32,7 @@ type Controller struct {
TplNames string
Layout string
TplExt string
_xsrf_token string
CruSession session.SessionStore
}
@ -331,3 +337,42 @@ func (c *Controller) DelSession(name interface{}) {
func (c *Controller) IsAjax() bool {
return (c.Ctx.Request.Header.Get("HTTP_X_REQUESTED_WITH") == "XMLHttpRequest")
}
func (c *Controller) XsrfToken() string {
if c._xsrf_token == "" {
token := c.Ctx.GetCookie("_xsrf")
if token == "" {
h := hmac.New(sha1.New, []byte(XSRFKEY))
fmt.Fprintf(h, "%s:%d", c.Ctx.Request.RemoteAddr, time.Now().UnixNano())
tok := fmt.Sprintf("%s:%d", h.Sum(nil), time.Now().UnixNano())
token := base64.URLEncoding.EncodeToString([]byte(tok))
c.Ctx.SetCookie("_xsrf", token)
}
c._xsrf_token = token
}
return c._xsrf_token
}
func (c *Controller) CheckXsrfCookie() bool {
token := c.GetString("_xsrf")
if token == "" {
token = c.Ctx.Request.Header.Get("X-Xsrftoken")
}
if token == "" {
token = c.Ctx.Request.Header.Get("X-Csrftoken")
}
if token == "" {
c.Ctx.Abort(403, "'_xsrf' argument missing from POST")
}
if c._xsrf_token != token {
c.Ctx.Abort(403, "XSRF cookie does not match POST argument")
}
return true
}
func (c *Controller) XsrfFormHtml() string {
return "<input type=\"hidden\" name=\"_xsrf\" value=\"" +
c._xsrf_token + "\"/>"
}