Documentation ¶
Overview ¶
Package csrf is a synchronizer Token Pattern implementation.
See [OWASP] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Package csrf is a synchronizer Token Pattern implementation.
Management of routes exempted from CSRF checks.
Generation of tokens.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var CSRFFilter = func(c *revel.Controller, fc []revel.Filter) { r := c.Request tokenCookie, found := c.Session[cookieName] realToken := "" if !found { realToken = generateNewToken(c) } else { realToken = tokenCookie.(string) if len(realToken) != lengthCSRFToken { revel.AppLog.Debugf("REVEL_CSRF: Bad token length: found %d, expected %d", len(realToken), lengthCSRFToken) realToken = generateNewToken(c) } } c.ViewArgs[fieldName] = realToken unsafeMethod := !safeMethods.MatchString(r.Method) if unsafeMethod && !IsExempted(r.URL.Path) { revel.AppLog.Infof("REVEL-CSRF: Processing unsafe '%s' method...", r.Method) if r.URL.Scheme == "https" { referer, err := url.Parse(r.Header.Get("Referer")) if err != nil || referer.String() == "" { c.Result = c.Forbidden(errNoReferer) return } if !sameOrigin(referer, r.URL) { c.Result = c.Forbidden(errBadReferer) return } } sentToken := "" if ajaxSupport := revel.Config.BoolDefault("csrf.ajax", false); ajaxSupport { sentToken = r.Header.Get(headerName) } if sentToken == "" { sentToken = c.Params.Get(fieldName) } revel.AppLog.Debugf("REVEL-CSRF: Token received from client: '%s'", sentToken) if len(sentToken) != len(realToken) { c.Result = c.Forbidden(errBadToken) return } comparison := subtle.ConstantTimeCompare([]byte(sentToken), []byte(realToken)) if comparison != 1 { c.Result = c.Forbidden(errBadToken) return } revel.AppLog.Debugf("REVEL-CSRF: Token successfully checked.") } fc[0](c, fc[1:]) }
CSRFFilter implements the CSRF filter.
Functions ¶
func ExemptedFullPath ¶
func ExemptedFullPath(path string)
ExemptedFullPath exempts one exact path from CSRF checks.
func ExemptedFullPaths ¶
func ExemptedFullPaths(paths ...string)
ExemptedFullPath exempts exact paths from CSRF checks.
func ExemptedGlob ¶
func ExemptedGlob(path string)
ExemptedGlob exempts one path from CSRF checks using pattern matching. See http://golang.org/pkg/path/#Match
func ExemptedGlobs ¶
func ExemptedGlobs(paths ...string)
ExemptedGlobs exempts paths from CSRF checks using pattern matching.
func IsExempted ¶
IsExempted checks whether given path is exempt from CSRF checks or not.
Types ¶
This section is empty.