1
0
mirror of https://github.com/astaxie/beego.git synced 2024-12-23 03:20:50 +00:00

EnableXSRF

This commit is contained in:
astaxie 2013-08-06 23:21:52 +08:00
parent 2fa534ff26
commit f9a31ea00a
4 changed files with 27 additions and 3 deletions

View File

@ -45,7 +45,8 @@ var (
HttpServerTimeOut int64 //set httpserver timeout
ErrorsShow bool //set weather show errors
XSRFKEY string //set XSRF
CopyRequestBody bool //When in raw application, You want to the reqeustbody
EnableXSRF bool
CopyRequestBody bool //When in raw application, You want to the reqeustbody
)
func init() {

View File

@ -192,6 +192,9 @@ func ParseConfig() (err error) {
if xsrfkey := AppConfig.String("xsrfkey"); xsrfkey != "" {
XSRFKEY = xsrfkey
}
if enablexsrf, err := AppConfig.Bool("enablexsrf"); err == nil {
EnableXSRF = enablexsrf
}
}
return nil
}

View File

@ -352,7 +352,7 @@ func (c *Controller) XsrfToken() string {
h := hmac.New(sha1.New, []byte(XSRFKEY))
fmt.Fprintf(h, "%s:%d", c.Ctx.Request.RemoteAddr, time.Now().UnixNano())
tok := fmt.Sprintf("%s:%d", h.Sum(nil), time.Now().UnixNano())
token := base64.URLEncoding.EncodeToString([]byte(tok))
token = base64.URLEncoding.EncodeToString([]byte(tok))
c.Ctx.SetCookie("_xsrf", token)
}
c._xsrf_token = token
@ -362,7 +362,6 @@ func (c *Controller) XsrfToken() string {
func (c *Controller) CheckXsrfCookie() bool {
token := c.GetString("_xsrf")
if token == "" {
token = c.Ctx.Request.Header.Get("X-Xsrftoken")
}

View File

@ -452,6 +452,17 @@ func (p *ControllerRegistor) ServeHTTP(rw http.ResponseWriter, r *http.Request)
method := vc.MethodByName("Prepare")
method.Call(in)
//if XSRF is Enable then check cookie where there has any cookie in the request's cookie _csrf
if EnableXSRF {
method = vc.MethodByName("XsrfToken")
method.Call(in)
if r.Method == "POST" || r.Method == "DELETE" || r.Method == "PUT" ||
(r.Method == "POST" && (r.Form.Get("_method") == "delete" || r.Form.Get("_method") == "put")) {
method = vc.MethodByName("CheckXsrfCookie")
method.Call(in)
}
}
//if response has written,yes don't run next
if !w.started {
if r.Method == "GET" {
@ -581,6 +592,16 @@ func (p *ControllerRegistor) ServeHTTP(rw http.ResponseWriter, r *http.Request)
method.Call(in)
method = vc.MethodByName(mName)
method.Call(in)
//if XSRF is Enable then check cookie where there has any cookie in the request's cookie _csrf
if EnableXSRF {
method = vc.MethodByName("XsrfToken")
method.Call(in)
if r.Method == "POST" || r.Method == "DELETE" || r.Method == "PUT" ||
(r.Method == "POST" && (r.Form.Get("_method") == "delete" || r.Form.Get("_method") == "put")) {
method = vc.MethodByName("CheckXsrfCookie")
method.Call(in)
}
}
if !w.started {
if AutoRender {
method = vc.MethodByName("Render")