13
3
Fork 0
Wiki Issues 89 resources competences Projects 8 Code Pull Requests Releases Activity
Browse Source

Redirect on bad CSRF instead of presenting bad page (#14937) (#16378) 

The current CSRF handler is a bit harsh with bad CSRF tokens on webpages
I think we can be a little kinder and redirect to base page with a flash error

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: zeripath <art27@cantab.net>
tags/v1.14.5
6543 4 years ago committed by GitHub
parent
6e5fd5c584
commit
ac0f452b30
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 31 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 11
      integrations/repo_branch_test.go
  2. 23
      modules/context/csrf.go
  3. 2
      options/locale/locale_en-US.ini

11
integrations/repo_branch_test.go
Unescape View File

@ -11,6 +11,7 @@ import (
"strings"
"testing"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/test"
"github.com/stretchr/testify/assert"
@ -134,5 +135,13 @@ func TestCreateBranchInvalidCSRF(t *testing.T) {
"_csrf": "fake_csrf",
"new_branch_name": "test",
})
session.MakeRequest(t, req, http.StatusBadRequest)
resp := session.MakeRequest(t, req, http.StatusFound)
loc := resp.Header().Get("Location")
assert.Equal(t, setting.AppSubURL+"/", loc)
resp = session.MakeRequest(t, NewRequest(t, "GET", loc), http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body)
assert.Equal(t,
"Bad Request: Invalid CSRF token",
strings.TrimSpace(htmlDoc.doc.Find(".ui.message").Text()),
)
}

23
modules/context/csrf.go
Unescape View File

@ -22,6 +22,7 @@ import (
"net/http"
"time"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/web/middleware"
"github.com/unknwon/com"
@ -266,7 +267,12 @@ func Validate(ctx *Context, x CSRF) {
-1,
x.GetCookiePath(),
x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
x.Error(ctx.Resp)
if middleware.IsAPIPath(ctx.Req) {
x.Error(ctx.Resp)
return
}
ctx.Flash.Error(ctx.Tr("error.invalid_csrf"))
ctx.Redirect(setting.AppSubURL + "/")
}
return
}
@ -277,10 +283,19 @@ func Validate(ctx *Context, x CSRF) {
-1,
x.GetCookiePath(),
x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
x.Error(ctx.Resp)
if middleware.IsAPIPath(ctx.Req) {
x.Error(ctx.Resp)
return
}
ctx.Flash.Error(ctx.Tr("error.invalid_csrf"))
ctx.Redirect(setting.AppSubURL + "/")
}
return
}
http.Error(ctx.Resp, "Bad Request: no CSRF token present", http.StatusBadRequest)
if middleware.IsAPIPath(ctx.Req) {
http.Error(ctx.Resp, "Bad Request: no CSRF token present", http.StatusBadRequest)
return
}
ctx.Flash.Error(ctx.Tr("error.missing_csrf"))
ctx.Redirect(setting.AppSubURL + "/")
}

2
options/locale/locale_en-US.ini
Unescape View File

@ -96,6 +96,8 @@ error404 = The page you are trying to reach either <strong>does not exist</stron
[error]
occurred = An error has occurred
report_message = If you are sure this is a Gitea bug, please search for issue on <a href="https://github.com/go-gitea/gitea/issues">GitHub</a> and open new issue if necessary.
missing_csrf = Bad Request: no CSRF token present
invalid_csrf = Bad Request: Invalid CSRF token
[startpage]
app_desc = A painless, self-hosted Git service

Write Preview
Loading…
Cancel
Save