Exemplo n.º 1
0
func (x *Xsrf) VerifyFor(req zerver.Request) bool {
	m := req.ReqMethod()
	if !x.FilterGet && (m == zerver.METHOD_GET || m == zerver.METHOD_HEAD || m == zerver.METHOD_OPTIONS) {
		return true
	}

	token := req.GetHeader(_HEADER_XSRFTOKEN)
	if token == "" {
		token = req.GetHeader(_HEADER_CSRFTOKEN)
		if token == "" {
			token = req.Vars().QueryVar(_XSRF_PARAM_NAME)
			if token == "" {
				return false
			}
		}
	}

	data := x.verify(unsafe2.Bytes(token))
	if data != nil {
		x.Pool.Put(data)
		t, ip := x.TokenInfo.Unmarshal(data)
		return t != -1 &&
			t+x.Timeout >= time2.Now().Unix() &&
			ip == http2.IpOfAddr(req.RemoteAddr())
	}

	return false
}
Exemplo n.º 2
0
func (ri *RequestId) Filter(req zerver.Request, resp zerver.Response, chain zerver.FilterChain) {
	if req.ReqMethod() == zerver.METHOD_GET {
		chain(req, resp)
		return
	}

	reqId := req.GetHeader(ri.HeaderName)
	if reqId == "" {
		if ri.PassingOnNoId {
			chain(req, resp)
		} else {
			resp.StatusCode(http.StatusBadRequest)
		}
	} else {
		ip := http2.IpOfAddr(req.RemoteAddr())
		id := ip + ":" + reqId
		if err := ri.Store.Save(id); err == ErrRequestIDExist {
			resp.StatusCode(http.StatusForbidden)
		} else if err != nil {
			ri.log.Warn(log.M{"msg": "save request id failed", "err": err.Error()})
		} else {
			chain(req, resp)
			ri.Store.Remove(id)
		}
	}
}
Exemplo n.º 3
0
func (x *Xsrf) CreateFor(req zerver.Request) ([]byte, error) {
	bs, err := x.TokenInfo.Marshal(time2.Now().Unix(), http2.IpOfAddr(req.RemoteAddr()))
	if err == nil {
		return x.sign(bs), nil
	}

	return nil, err
}