Support secure cookie for csrf-token (#3839)

* dep: Update github.com/go-macaron/csrf Update github.com/go-macaron/csrf with dep to revision 503617c6b372 to fix issue of csrf-token security. This update includes following commits: - Add support for the Cookie HttpOnly flag - Support secure mode for csrf cookie Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com> * routers: set csrf-token security depending on COOKIE_SECURE Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>
2025-10-29 10:57:44 +09:00 · 2018-05-22 02:09:48 +03:00
parent 31067c0a89
commit ee878e3951
3 changed files with 21 additions and 8 deletions
--- a/vendor/github.com/go-macaron/csrf/csrf.go
+++ b/vendor/github.com/go-macaron/csrf/csrf.go
@@ -41,6 +41,8 @@ type CSRF interface {
 	GetCookieName() string
 	// Return cookie path
 	GetCookiePath() string
+	// Return the flag value used for the csrf token.
+	GetCookieHttpOnly() bool
 	// Return the token.
 	GetToken() string
 	// Validate by token.
@@ -58,6 +60,8 @@ type csrf struct {
 	Cookie string
 	//Cookie path
 	CookiePath string
+	// Cookie HttpOnly flag value used for the csrf token.
+	CookieHttpOnly bool
 	// Token generated to pass via header, cookie, or hidden form value.
 	Token string
 	// This value must be unique per user.
@@ -88,6 +92,11 @@ func (c *csrf) GetCookiePath() string {
 	return c.CookiePath
 }

+// GetCookieHttpOnly returns the flag value used for the csrf token.
+func (c *csrf) GetCookieHttpOnly() bool {
+	return c.CookieHttpOnly
+}
+
 // GetToken returns the current token. This is typically used
 // to populate a hidden form in an HTML template.
 func (c *csrf) GetToken() string {
@@ -116,6 +125,7 @@ type Options struct {
 	Cookie string
 	// Cookie path.
 	CookiePath string
+	CookieHttpOnly bool
 	// Key used for getting the unique ID per user.
 	SessionKey string
 	// oldSeesionKey saves old value corresponding to SessionKey.
@@ -173,12 +183,13 @@ func Generate(options ...Options) macaron.Handler {
 	opt := prepareOptions(options)
 	return func(ctx *macaron.Context, sess session.Store) {
 		x := &csrf{
-			Secret:     opt.Secret,
-			Header:     opt.Header,
-			Form:       opt.Form,
-			Cookie:     opt.Cookie,
-			CookiePath: opt.CookiePath,
-			ErrorFunc:  opt.ErrorFunc,
+			Secret:         opt.Secret,
+			Header:         opt.Header,
+			Form:           opt.Form,
+			Cookie:         opt.Cookie,
+			CookiePath:     opt.CookiePath,
+			CookieHttpOnly: opt.CookieHttpOnly,
+			ErrorFunc:      opt.ErrorFunc,
 		}
 		ctx.MapTo(x, (*CSRF)(nil))

@@ -211,7 +222,7 @@ func Generate(options ...Options) macaron.Handler {
 			// FIXME: actionId.
 			x.Token = GenerateToken(x.Secret, x.ID, "POST")
 			if opt.SetCookie {
-				ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", false, true, time.Now().AddDate(0, 0, 1))
+				ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", opt.Secure, opt.CookieHttpOnly, time.Now().AddDate(0, 0, 1))
 			}
 		}