Skip to content

张磊 / FileStorageBeego

Go to a project
Toggle navigation
Toggle navigation pinning
93e1206d by astaxie
Options

xsrf change to randstr and cookie set to security cookie

1 parent 2249d745
Inline Side-by-side
Showing 4 changed files with 137 additions and 8 deletions
beego.go
...@@ -67,7 +67,7 @@ func Run() { ...@@ -67,7 +67,7 @@ func Run() {
67 } 67 }
68 68
69 if SessionOn { 69 if SessionOn {
70 GlobalSessions, _ = session.NewManager(SessionProvider, SessionName, SessionGCMaxLifetime, SessionSavePath) 70 GlobalSessions, _ = session.NewManager(SessionProvider, SessionName, SessionGCMaxLifetime, SessionSavePath, HttpTLS)
71 go GlobalSessions.GC() 71 go GlobalSessions.GC()
72 } 72 }
73 73
......
controller.go
...@@ -304,21 +304,56 @@ func (c *Controller) IsAjax() bool { ...@@ -304,21 +304,56 @@ func (c *Controller) IsAjax() bool {
304 return c.Ctx.Input.IsAjax() 304 return c.Ctx.Input.IsAjax()
305 } 305 }
306 306
307 func (c *Controller) GetSecureCookie(Secret, key string) (string, bool) {
308 val := c.Ctx.GetCookie(key)
309 if val == "" {
310 return "", false
311 }
312
313 parts := strings.SplitN(val, "|", 3)
314
315 vs := parts[0]
316 timestamp := parts[1]
317 sig := parts[2]
318
319 h := hmac.New(sha1.New, []byte(Secret))
320 fmt.Fprintf(h, "%s%s", vs, timestamp)
321
322 if fmt.Sprintf("%02x", h.Sum(nil)) != sig {
323 return "", false
324 }
325
326 ts, _ := strconv.ParseInt(timestamp, 0, 64)
327
328 buf := bytes.NewBufferString(val)
329 encoder := base64.NewDecoder(base64.StdEncoding, buf)
330
331 res, _ := ioutil.ReadAll(encoder)
332 return string(res), true
333 }
334
335 func (c *Controller) SetSecureCookie(Secret, name, val string, age int) {
336 vs := base64.URLEncoding.EncodeToString([]byte(val))
337 timestamp := strconv.FormatInt(time.Now().UnixNano(), 10)
338 h := hmac.New(sha1.New, []byte(Secret))
339 fmt.Fprintf(h, "%s%s", vs, timestamp)
340 sig := fmt.Sprintf("%02x", h.Sum(nil))
341 cookie := strings.Join([]string{vs, timestamp, sig}, "|")
342 c.Ctx.SetCookie(name, cookie, age, "/")
343 }
344
307 func (c *Controller) XsrfToken() string { 345 func (c *Controller) XsrfToken() string {
308 if c._xsrf_token == "" { 346 if c._xsrf_token == "" {
309 token := c.Ctx.GetCookie("_xsrf") 347 token, ok := c.GetSecureCookie(XSRFKEY, "_xsrf")
310 if token == "" { 348 if !ok {
311 h := hmac.New(sha1.New, []byte(XSRFKEY))
312 fmt.Fprintf(h, "%s:%d", c.Ctx.Request.RemoteAddr, time.Now().UnixNano())
313 tok := fmt.Sprintf("%s:%d", h.Sum(nil), time.Now().UnixNano())
314 token = base64.URLEncoding.EncodeToString([]byte(tok))
315 expire := 0 349 expire := 0
316 if c.XSRFExpire > 0 { 350 if c.XSRFExpire > 0 {
317 expire = c.XSRFExpire 351 expire = c.XSRFExpire
318 } else { 352 } else {
319 expire = XSRFExpire 353 expire = XSRFExpire
320 } 354 }
321 c.Ctx.SetCookie("_xsrf", token, expire, "/") 355 token = GetRandomString(15)
356 c.SetSecureCookie(XSRFKEY, "_xsrf", token, expire)
322 } 357 }
323 c._xsrf_token = token 358 c._xsrf_token = token
324 } 359 }
......
middleware/i18n.go
1 package middleware 1 package middleware
2
3 //import (
4 // "github.com/astaxie/beego/config"
5 // "os"
6 // "path"
7 //)
8
9 //type Translation struct {
10 // filetype string
11 // CurrentLocal string
12 // Locales map[string]map[string]string
13 //}
14
15 //func NewLocale(filetype string) *Translation {
16 // return &Translation{
17 // filetype: filetype,
18 // CurrentLocal: "zh",
19 // Locales: make(map[string]map[string]string),
20 // }
21 //}
22
23 //func (t *Translation) loadTranslations(dirPath string) error {
24 // dir, err := os.Open(dirPath)
25 // if err != nil {
26 // return err
27 // }
28 // defer dir.Close()
29
30 // names, err := dir.Readdirnames(-1)
31 // if err != nil {
32 // return err
33 // }
34
35 // for _, name := range names {
36 // fullPath := path.Join(dirPath, name)
37
38 // fi, err := os.Stat(fullPath)
39 // if err != nil {
40 // return err
41 // }
42
43 // if fi.IsDir() {
44 // continue
45 // } else {
46 // if err := t.loadTranslation(fullPath, name); err != nil {
47 // return err
48 // }
49 // }
50 // }
51
52 // return nil
53 //}
54
55 //func (t *Translation) loadTranslation(fullPath, locale string) error {
56
57 // sourceKey2Trans, ok := t.Locales[locale]
58 // if !ok {
59 // sourceKey2Trans = make(map[string]string)
60
61 // t.Locales[locale] = sourceKey2Trans
62 // }
63
64 // for _, m := range trf.Messages {
65 // if m.Translation != "" {
66 // sourceKey2Trans[sourceKey(m.Source, m.Context)] = m.Translation
67 // }
68 // }
69
70 // return nil
71 //}
72
73 //func (t *Translation) SetLocale(local string) {
74 // t.CurrentLocal = local
75 //}
76
77 //func (t *Translation) Translate(key string) string {
78 // if ct, ok := t.Locales[t.CurrentLocal]; ok {
79 // if v, o := ct[key]; o {
80 // return v
81 // }
82 // }
83 // return key
84 //}
......
utils.go
1 package beego 1 package beego
2 2
3 import ( 3 import (
4 "crypto/rand"
4 "fmt" 5 "fmt"
5 "html/template" 6 "html/template"
6 "net/url" 7 "net/url"
...@@ -362,3 +363,13 @@ func FileExists(path string) (bool, error) { ...@@ -362,3 +363,13 @@ func FileExists(path string) (bool, error) {
362 } 363 }
363 return false, err 364 return false, err
364 } 365 }
366
367 func GetRandomString(n int) string {
368 const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
369 var bytes = make([]byte, n)
370 rand.Read(bytes)
371 for i, b := range bytes {
372 bytes[i] = alphanum[b%byte(len(alphanum))]
373 }
374 return string(bytes)
375 }
......
Styling with Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!