1
0
mirror of https://github.com/astaxie/beego.git synced 2024-11-26 04:01:29 +00:00

EnableXSRF

This commit is contained in:
astaxie 2013-08-06 23:21:52 +08:00
parent 2fa534ff26
commit f9a31ea00a
4 changed files with 27 additions and 3 deletions

View File

@ -45,6 +45,7 @@ var (
HttpServerTimeOut int64 //set httpserver timeout HttpServerTimeOut int64 //set httpserver timeout
ErrorsShow bool //set weather show errors ErrorsShow bool //set weather show errors
XSRFKEY string //set XSRF XSRFKEY string //set XSRF
EnableXSRF bool
CopyRequestBody bool //When in raw application, You want to the reqeustbody CopyRequestBody bool //When in raw application, You want to the reqeustbody
) )

View File

@ -192,6 +192,9 @@ func ParseConfig() (err error) {
if xsrfkey := AppConfig.String("xsrfkey"); xsrfkey != "" { if xsrfkey := AppConfig.String("xsrfkey"); xsrfkey != "" {
XSRFKEY = xsrfkey XSRFKEY = xsrfkey
} }
if enablexsrf, err := AppConfig.Bool("enablexsrf"); err == nil {
EnableXSRF = enablexsrf
}
} }
return nil return nil
} }

View File

@ -352,7 +352,7 @@ func (c *Controller) XsrfToken() string {
h := hmac.New(sha1.New, []byte(XSRFKEY)) h := hmac.New(sha1.New, []byte(XSRFKEY))
fmt.Fprintf(h, "%s:%d", c.Ctx.Request.RemoteAddr, time.Now().UnixNano()) fmt.Fprintf(h, "%s:%d", c.Ctx.Request.RemoteAddr, time.Now().UnixNano())
tok := fmt.Sprintf("%s:%d", h.Sum(nil), time.Now().UnixNano()) tok := fmt.Sprintf("%s:%d", h.Sum(nil), time.Now().UnixNano())
token := base64.URLEncoding.EncodeToString([]byte(tok)) token = base64.URLEncoding.EncodeToString([]byte(tok))
c.Ctx.SetCookie("_xsrf", token) c.Ctx.SetCookie("_xsrf", token)
} }
c._xsrf_token = token c._xsrf_token = token
@ -362,7 +362,6 @@ func (c *Controller) XsrfToken() string {
func (c *Controller) CheckXsrfCookie() bool { func (c *Controller) CheckXsrfCookie() bool {
token := c.GetString("_xsrf") token := c.GetString("_xsrf")
if token == "" { if token == "" {
token = c.Ctx.Request.Header.Get("X-Xsrftoken") token = c.Ctx.Request.Header.Get("X-Xsrftoken")
} }

View File

@ -452,6 +452,17 @@ func (p *ControllerRegistor) ServeHTTP(rw http.ResponseWriter, r *http.Request)
method := vc.MethodByName("Prepare") method := vc.MethodByName("Prepare")
method.Call(in) method.Call(in)
//if XSRF is Enable then check cookie where there has any cookie in the request's cookie _csrf
if EnableXSRF {
method = vc.MethodByName("XsrfToken")
method.Call(in)
if r.Method == "POST" || r.Method == "DELETE" || r.Method == "PUT" ||
(r.Method == "POST" && (r.Form.Get("_method") == "delete" || r.Form.Get("_method") == "put")) {
method = vc.MethodByName("CheckXsrfCookie")
method.Call(in)
}
}
//if response has written,yes don't run next //if response has written,yes don't run next
if !w.started { if !w.started {
if r.Method == "GET" { if r.Method == "GET" {
@ -581,6 +592,16 @@ func (p *ControllerRegistor) ServeHTTP(rw http.ResponseWriter, r *http.Request)
method.Call(in) method.Call(in)
method = vc.MethodByName(mName) method = vc.MethodByName(mName)
method.Call(in) method.Call(in)
//if XSRF is Enable then check cookie where there has any cookie in the request's cookie _csrf
if EnableXSRF {
method = vc.MethodByName("XsrfToken")
method.Call(in)
if r.Method == "POST" || r.Method == "DELETE" || r.Method == "PUT" ||
(r.Method == "POST" && (r.Form.Get("_method") == "delete" || r.Form.Get("_method") == "put")) {
method = vc.MethodByName("CheckXsrfCookie")
method.Call(in)
}
}
if !w.started { if !w.started {
if AutoRender { if AutoRender {
method = vc.MethodByName("Render") method = vc.MethodByName("Render")