Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-07 06:40:54 +03:00
Code Issues Packages Projects Releases Wiki Activity

respect token validation mode for CSRF header

Browse Source 
Fixes #1104

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
2022-12-16 19:14:56 +01:00
parent ff4c1b239e
commit 08e29d4ee0
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/httpd/middleware.go
View File

@@ -299,11 +299,13 @@ func verifyCSRFHeader(next http.Handler) http.Handler {
return return
} }
if tokenValidationMode != tokenValidationNoIPMatch {
if !util.Contains(token.Audience(), util.GetIPFromRemoteAddress(r.RemoteAddr)) { if !util.Contains(token.Audience(), util.GetIPFromRemoteAddress(r.RemoteAddr)) {
logger.Debug(logSender, "", "error validating CSRF header IP audience") logger.Debug(logSender, "", "error validating CSRF header IP audience")
sendAPIResponse(w, r, errors.New("the token is not valid"), "", http.StatusForbidden) sendAPIResponse(w, r, errors.New("the token is not valid"), "", http.StatusForbidden)
return return
} }
}
next.ServeHTTP(w, r) next.ServeHTTP(w, r)
}) })