git724/forgejo
1
0
Fork 0
Code Issues Pull requests 3 Projects 1 Releases Packages Wiki Activity

fix: validate CSRF on non-safe methods

Browse source 
- CSRF has to be validated for any request that can change the state, in
practice this means any HTTP request where the method isn't
GET/HEAD/OPTIONS.
- The code only considered POST to be a state-changing request.
- Forgejo has several PUT/DELETE (that changes state) routes for which
no CSRF was being validated.
- Change the code to validate CSRF for all non-"safe" methods.
This commit is contained in:
Gusted 2025-08-21 00:39:06 +02:00 committed by Earl Warren
commit 4dfb3facb4
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
routers/web/web.go
View file

@ -192,7 +192,8 @@ func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.Cont
return
}
if !options.SignOutRequired && !options.DisableCSRF && ctx.Req.Method == "POST" {
safeMethod := ctx.Req.Method == "GET" || ctx.Req.Method == "HEAD" || ctx.Req.Method == "OPTIONS"
if !options.SignOutRequired && !options.DisableCSRF && !safeMethod {
ctx.Csrf.Validate(ctx)
if ctx.Written() {
return