Support secure cookie for csrf-token (#3839)

* dep: Update github.com/go-macaron/csrf Update github.com/go-macaron/csrf with dep to revision 503617c6b372 to fix issue of csrf-token security. This update includes following commits: - Add support for the Cookie HttpOnly flag - Support secure mode for csrf cookie Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com> * routers: set csrf-token security depending on COOKIE_SECURE Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>
7 years ago · ee878e3951
3 changed files with 21 additions and 8 deletions
--- a/Gopkg.lock
+++ b/Gopkg.lock
@ -254,9 +254,10 @@
  revision = "8aa5919789ab301e865595eb4b1114d6b9847deb"

 [[projects]]
+  branch = "master"
  name = "github.com/go-macaron/csrf"
  packages = ["."]
-  revision = "6a9a7df172cc1fcd81e4585f44b09200b6087cc0"
+  revision = "503617c6b37257a55dff6293ec28556506c3a9a8"

 [[projects]]
  branch = "master"
--- a/routers/routes/routes.go
+++ b/routers/routes/routes.go
@ -119,6 +119,7 @@ func NewMacaron() *macaron.Macaron {
 		Secret:     setting.SecretKey,
 		Cookie:     setting.CSRFCookieName,
 		SetCookie:  true,
+		Secure:     setting.SessionConfig.Secure,
 		Header:     "X-Csrf-Token",
 		CookiePath: setting.AppSubURL,
 	}))
--- a/vendor/github.com/go-macaron/csrf/csrf.go
+++ b/vendor/github.com/go-macaron/csrf/csrf.go
@ -41,6 +41,8 @@ type CSRF interface {
 	GetCookieName() string
 	// Return cookie path
 	GetCookiePath() string
+	// Return the flag value used for the csrf token.
+	GetCookieHttpOnly() bool
 	// Return the token.
 	GetToken() string
 	// Validate by token.
@ -58,6 +60,8 @@ type csrf struct {
 	Cookie string
 	//Cookie path
 	CookiePath string
+	// Cookie HttpOnly flag value used for the csrf token.
+	CookieHttpOnly bool
 	// Token generated to pass via header, cookie, or hidden form value.
 	Token string
 	// This value must be unique per user.
@ -88,6 +92,11 @@ func (c *csrf) GetCookiePath() string {
 	return c.CookiePath
 }

+// GetCookieHttpOnly returns the flag value used for the csrf token.
+func (c *csrf) GetCookieHttpOnly() bool {
+	return c.CookieHttpOnly
+}
+
 // GetToken returns the current token. This is typically used
 // to populate a hidden form in an HTML template.
 func (c *csrf) GetToken() string {
@ -116,6 +125,7 @@ type Options struct {
 	Cookie string
 	// Cookie path.
 	CookiePath string
+	CookieHttpOnly bool
 	// Key used for getting the unique ID per user.
 	SessionKey string
 	// oldSeesionKey saves old value corresponding to SessionKey.
@ -173,12 +183,13 @@ func Generate(options ...Options) macaron.Handler {
 	opt := prepareOptions(options)
 	return func(ctx *macaron.Context, sess session.Store) {
 		x := &csrf{
-			Secret:     opt.Secret,
-			Header:     opt.Header,
-			Form:       opt.Form,
-			Cookie:     opt.Cookie,
-			CookiePath: opt.CookiePath,
-			ErrorFunc:  opt.ErrorFunc,
+			Secret:         opt.Secret,
+			Header:         opt.Header,
+			Form:           opt.Form,
+			Cookie:         opt.Cookie,
+			CookiePath:     opt.CookiePath,
+			CookieHttpOnly: opt.CookieHttpOnly,
+			ErrorFunc:      opt.ErrorFunc,
 		}
 		ctx.MapTo(x, (*CSRF)(nil))

@ -211,7 +222,7 @@ func Generate(options ...Options) macaron.Handler {
 			// FIXME: actionId.
 			x.Token = GenerateToken(x.Secret, x.ID, "POST")
 			if opt.SetCookie {
-				ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", false, true, time.Now().AddDate(0, 0, 1))
+				ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", opt.Secure, opt.CookieHttpOnly, time.Now().AddDate(0, 0, 1))
 			}
 		}