From ee7e5ab6a895caad50c746a7ecc0e67ceac78af0 Mon Sep 17 00:00:00 2001 From: zh199225 Date: Thu, 19 Aug 2021 13:08:29 +0800 Subject: [PATCH 1/2] =?UTF-8?q?=E4=BF=AE=E6=AD=A3=EF=BC=9AXSRFToken?= =?UTF-8?q?=E5=87=BD=E6=95=B0=E5=9C=A8=E7=89=B9=E5=AE=9A=E6=83=85=E5=86=B5?= =?UTF-8?q?=E4=B8=8B=E4=BC=9A=E4=BA=A7=E7=94=9F=E5=A4=9A=E4=B8=AA=E4=B8=8D?= =?UTF-8?q?=E5=90=8CPath=E7=9A=84=5Fxsrf=E5=90=8C=E5=90=8Dcookie?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 例如:访问”/login“页面,有个表单,此时会产生一个_xsrf cookie,Path为”/“,此时手动删除_xsrf cookie,Post提交到“/test/post”,会报错expected XSRF not found;后退到”/login“页面,会产生一个Path为”/login“的_xsrf cookie,然后访问"/"根页面,再回到"/login"页面,这时会产生两个_xsrf cookie,Path分别为"/"和”/login",再向"/test/post"页面提交,后端就可能读到错误的_xsrf cookie造成XSRF验证失败。 在XSRFToken函数中,将SetSecureCookie函数中的Path参数固定为"/",可以解决这个问题 --- server/web/context/context.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/web/context/context.go b/server/web/context/context.go index f55112c8..42cc4035 100644 --- a/server/web/context/context.go +++ b/server/web/context/context.go @@ -270,7 +270,7 @@ func (ctx *Context) XSRFToken(key string, expire int64) string { if !ok { token = string(utils.RandomCreateBytes(32)) // TODO make it configurable - ctx.SetSecureCookie(key, "_xsrf", token, expire, "", "") + ctx.SetSecureCookie(key, "_xsrf", token, expire, "/", "") } ctx._xsrfToken = token } From 414862a94ccf0a4ca0317700861ab49b526d1e26 Mon Sep 17 00:00:00 2001 From: zh199225 Date: Thu, 19 Aug 2021 20:34:32 +0800 Subject: [PATCH 2/2] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a95edd50..857e20bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -57,6 +57,7 @@ - Add comments to `web.Config`, rename `RouterXXX` to `CtrlXXX`, define `HandleFunc` [4714](https://github.com/beego/beego/pull/4714) - Refactor: Move `BindXXX` and `XXXResp` methods to `context.Context`. [4718](https://github.com/beego/beego/pull/4718) - fix bug:reflect.ValueOf(nil) in getFlatParams [4715](https://github.com/beego/beego/pull/4715) +- Fix 4736: set a fixed value "/" to the "Path" of "_xsrf" cookie. [4736](https://github.com/beego/beego/issues/4735) ## Fix Sonar