From 4a228697cdc213b46ef3755c653bb7e9967248ae Mon Sep 17 00:00:00 2001 From: Jakob Borg Date: Sat, 21 May 2016 13:48:55 +0000 Subject: [PATCH] cmd/syncthing: Enforce stricter CSRF policy on /rest GET requests GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3137 --- cmd/syncthing/gui.go | 4 ---- cmd/syncthing/gui_csrf.go | 15 ++------------- 2 files changed, 2 insertions(+), 17 deletions(-) diff --git a/cmd/syncthing/gui.go b/cmd/syncthing/gui.go index 8e495b3d9..167324367 100644 --- a/cmd/syncthing/gui.go +++ b/cmd/syncthing/gui.go @@ -397,10 +397,6 @@ func corsMiddleware(next http.Handler) http.Handler { // // See https://www.w3.org/TR/cors/ for details. return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - // Add a generous access-control-allow-origin header since we may be - // redirecting REST requests over protocols - w.Header().Add("Access-Control-Allow-Origin", "*") - // Process OPTIONS requests if r.Method == "OPTIONS" { // Only GET/POST Methods are supported diff --git a/cmd/syncthing/gui_csrf.go b/cmd/syncthing/gui_csrf.go index 00e2d3e93..52b1234a4 100644 --- a/cmd/syncthing/gui_csrf.go +++ b/cmd/syncthing/gui_csrf.go @@ -40,7 +40,8 @@ func csrfMiddleware(unique string, prefix string, cfg config.GUIConfiguration, n return } - // Allow requests for the front page, and set a CSRF cookie if there isn't already a valid one. + // Allow requests for anything not under the protected path prefix, + // and set a CSRF cookie if there isn't already a valid one. if !strings.HasPrefix(r.URL.Path, prefix) { cookie, err := r.Cookie("CSRF-Token-" + unique) if err != nil || !validCsrfToken(cookie.Value) { @@ -55,18 +56,6 @@ func csrfMiddleware(unique string, prefix string, cfg config.GUIConfiguration, n return } - if r.Method == "GET" { - // Allow GET requests unconditionally, but if we got the CSRF - // token cookie do the verification anyway so we keep the - // csrfTokens list sorted by recent usage. We don't care about the - // outcome of the validity check. - if cookie, err := r.Cookie("CSRF-Token-" + unique); err == nil { - validCsrfToken(cookie.Value) - } - next.ServeHTTP(w, r) - return - } - // Verify the CSRF token token := r.Header.Get("X-CSRF-Token-" + unique) if !validCsrfToken(token) {