From b4f47a762338abe6ce3a6e3d6d0896b8a387228d Mon Sep 17 00:00:00 2001 From: Unknwon Date: Sat, 12 Mar 2016 20:56:03 -0500 Subject: [PATCH] #1891 attempt to fix invalid csrf token --- README.md | 2 +- cmd/web.go | 5 +++-- glide.lock | 4 ++-- gogs.go | 2 +- modules/setting/setting.go | 3 ++- routers/user/auth.go | 6 ++++++ templates/.VERSION | 2 +- 7 files changed, 16 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index c12d55e39c..1bd7fcb37d 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra ![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true) -##### Current version: 0.9.7 +##### Current version: 0.9.8 | Web | UI | Preview | |:-------------:|:-------:|:-------:| diff --git a/cmd/web.go b/cmd/web.go index 97bb03213b..3a63d0845d 100644 --- a/cmd/web.go +++ b/cmd/web.go @@ -81,12 +81,12 @@ func checkVersion() { {"github.com/go-xorm/xorm", func() string { return xorm.Version }, "0.5.2.0304"}, {"github.com/go-macaron/binding", binding.Version, "0.2.1"}, {"github.com/go-macaron/cache", cache.Version, "0.1.2"}, - {"github.com/go-macaron/csrf", csrf.Version, "0.0.5"}, + {"github.com/go-macaron/csrf", csrf.Version, "0.1.0"}, {"github.com/go-macaron/i18n", i18n.Version, "0.2.0"}, {"github.com/go-macaron/session", session.Version, "0.1.6"}, {"github.com/go-macaron/toolbox", toolbox.Version, "0.1.0"}, {"gopkg.in/ini.v1", ini.Version, "1.8.4"}, - {"gopkg.in/macaron.v1", macaron.Version, "1.1.1"}, + {"gopkg.in/macaron.v1", macaron.Version, "1.1.2"}, {"github.com/gogits/git-module", git.Version, "0.2.9"}, {"github.com/gogits/go-gogs-client", gogs.Version, "0.7.3"}, } @@ -158,6 +158,7 @@ func newMacaron() *macaron.Macaron { m.Use(session.Sessioner(setting.SessionConfig)) m.Use(csrf.Csrfer(csrf.Options{ Secret: setting.SecretKey, + Cookie: setting.CSRFCookieName, SetCookie: true, Header: "X-Csrf-Token", CookiePath: setting.AppSubUrl, diff --git a/glide.lock b/glide.lock index 87d0af2a5f..7b0b9310eb 100644 --- a/glide.lock +++ b/glide.lock @@ -17,7 +17,7 @@ imports: - name: github.com/go-macaron/captcha version: 8aa5919789ab301e865595eb4b1114d6b9847deb - name: github.com/go-macaron/csrf - version: 546646cf80d2feabea4e4098d2d824d5582f3416 + version: 6a9a7df172cc1fcd81e4585f44b09200b6087cc0 - name: github.com/go-macaron/gzip version: cad1c6580a07c56f5f6bc52d66002a05985c5854 - name: github.com/go-macaron/i18n @@ -127,7 +127,7 @@ imports: - name: gopkg.in/ldap.v2 version: 07a7330929b9ee80495c88a4439657d89c7dbd87 - name: gopkg.in/macaron.v1 - version: 7c9e5e5b8c1176ce95a6f41b4e1cd60a44f8839d + version: 53b60f3c7d9e575050852ada71ec2953e8d685ad - name: gopkg.in/redis.v2 version: e6179049628164864e6e84e973cfb56335748dea devImports: [] diff --git a/gogs.go b/gogs.go index 2c3ade5430..062fa29bcd 100644 --- a/gogs.go +++ b/gogs.go @@ -17,7 +17,7 @@ import ( "github.com/gogits/gogs/modules/setting" ) -const APP_VER = "0.9.7.0312" +const APP_VER = "0.9.8.0312" func init() { runtime.GOMAXPROCS(runtime.NumCPU()) diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 5d117be41f..2fbc1f2cdc 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -156,7 +156,8 @@ var ( CacheConn string // Session settings - SessionConfig session.Options + SessionConfig session.Options + CSRFCookieName = "_csrf" // Git settings Git struct { diff --git a/routers/user/auth.go b/routers/user/auth.go index 3af87c5844..646b878396 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -63,6 +63,7 @@ func AutoSignIn(ctx *context.Context) (bool, error) { isSucceed = true ctx.Session.Set("uid", u.Id) ctx.Session.Set("uname", u.Name) + ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubUrl) return true, nil } @@ -116,6 +117,10 @@ func SignInPost(ctx *context.Context, form auth.SignInForm) { ctx.Session.Set("uid", u.Id) ctx.Session.Set("uname", u.Name) + + // Clear whatever CSRF has right now, force to generate a new one + ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubUrl) + if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 { ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl) ctx.Redirect(redirectTo) @@ -133,6 +138,7 @@ func SignOut(ctx *context.Context) { ctx.Session.Delete("socialEmail") ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubUrl) ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubUrl) + ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubUrl) ctx.Redirect(setting.AppSubUrl + "/") } diff --git a/templates/.VERSION b/templates/.VERSION index c378d4dd2d..bde4be41bf 100644 --- a/templates/.VERSION +++ b/templates/.VERSION @@ -1 +1 @@ -0.9.7.0312 \ No newline at end of file +0.9.8.0312 \ No newline at end of file