cmd/syncthing: Enforce stricter CSRF policy on /rest GET requests (fixes #3134)

GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3137
2016-05-21 13:48:55 +00:00
parent cff9bbc9c5
commit bf7fcc612d
3 changed files with 85 additions and 21 deletions
--- a/cmd/syncthing/gui_csrf.go
+++ b/cmd/syncthing/gui_csrf.go
@@ -41,7 +41,8 @@ func csrfMiddleware(unique string, prefix string, cfg config.GUIConfiguration, n
 			return
 		}

-		// Allow requests for the front page, and set a CSRF cookie if there isn't already a valid one.
+		// Allow requests for anything not under the protected path prefix,
+		// and set a CSRF cookie if there isn't already a valid one.
 		if !strings.HasPrefix(r.URL.Path, prefix) {
 			cookie, err := r.Cookie("CSRF-Token-" + unique)
 			if err != nil || !validCsrfToken(cookie.Value) {
@@ -56,18 +57,6 @@ func csrfMiddleware(unique string, prefix string, cfg config.GUIConfiguration, n
 			return
 		}

-		if r.Method == "GET" {
-			// Allow GET requests unconditionally, but if we got the CSRF
-			// token cookie do the verification anyway so we keep the
-			// csrfTokens list sorted by recent usage. We don't care about the
-			// outcome of the validity check.
-			if cookie, err := r.Cookie("CSRF-Token-" + unique); err == nil {
-				validCsrfToken(cookie.Value)
-			}
-			next.ServeHTTP(w, r)
-			return
-		}
-
 		// Verify the CSRF token
 		token := r.Header.Get("X-CSRF-Token-" + unique)
 		if !validCsrfToken(token) {