fix #26 add xsrf function

@@ -44,6 +44,7 @@ var (
 	EnbaleHotUpdate      bool //enable HotUpdate default is false
 	EnbaleHotUpdate      bool //enable HotUpdate default is false
 	HttpServerTimeOut    int64
 	HttpServerTimeOut    int64
 	ErrorsShow           bool
 	ErrorsShow           bool
+	XSRFKEY              string
 )
 )
 
 
 func init() {
 func init() {
@@ -72,6 +73,7 @@ func init() {
 	AppConfigPath = path.Join(AppPath, "conf", "app.conf")
 	AppConfigPath = path.Join(AppPath, "conf", "app.conf")
 	HttpServerTimeOut = 0
 	HttpServerTimeOut = 0
 	ErrorsShow = true
 	ErrorsShow = true
+	XSRFKEY = "beegoxsrf"
 	ParseConfig()
 	ParseConfig()
 }
 }
 
 

@@ -186,6 +186,9 @@ func ParseConfig() (err error) {
 		if errorsshow, err := AppConfig.Bool("errorsshow"); err == nil {
 		if errorsshow, err := AppConfig.Bool("errorsshow"); err == nil {
 			ErrorsShow = errorsshow
 			ErrorsShow = errorsshow
 		}
 		}
+		if xsrfkey := AppConfig.String("xsrfkey"); xsrfkey != "" {
+			XSRFKEY = xsrfkey
+		}
 	}
 	}
 	return nil
 	return nil
 }
 }

@@ -101,3 +101,11 @@ var cookieValueSanitizer = strings.NewReplacer("\n", " ", "\r", " ", ";", " ")
 func sanitizeValue(v string) string {
 func sanitizeValue(v string) string {
 	return cookieValueSanitizer.Replace(v)
 	return cookieValueSanitizer.Replace(v)
 }
 }
+
+func (ctx *Context) GetCookie(key string) string {
+	keycookie, err := ctx.Request.Cookie(key)
+	if err != nil {
+		return ""
+	}
+	return keycookie.Value
+}

@@ -4,9 +4,13 @@ import (
 	"bytes"
 	"bytes"
 	"compress/gzip"
 	"compress/gzip"
 	"compress/zlib"
 	"compress/zlib"
+	"crypto/hmac"
+	"crypto/sha1"
+	"encoding/base64"
 	"encoding/json"
 	"encoding/json"
 	"encoding/xml"
 	"encoding/xml"
 	"errors"
 	"errors"
+	"fmt"
 	"github.com/astaxie/beego/session"
 	"github.com/astaxie/beego/session"
 	"html/template"
 	"html/template"
 	"io"
 	"io"
@@ -18,16 +22,18 @@ import (
 	"path"
 	"path"
 	"strconv"
 	"strconv"
 	"strings"
 	"strings"
+	"time"
 )
 )
 
 
 type Controller struct {
 type Controller struct {
-	Ctx        *Context
-	Data       map[interface{}]interface{}
-	ChildName  string
-	TplNames   string
-	Layout     string
-	TplExt     string
-	CruSession session.SessionStore
+	Ctx         *Context
+	Data        map[interface{}]interface{}
+	ChildName   string
+	TplNames    string
+	Layout      string
+	TplExt      string
+	_xsrf_token string
+	CruSession  session.SessionStore
 }
 }
 
 
 type ControllerInterface interface {
 type ControllerInterface interface {
@@ -331,3 +337,42 @@ func (c *Controller) DelSession(name interface{}) {
 func (c *Controller) IsAjax() bool {
 func (c *Controller) IsAjax() bool {
 	return (c.Ctx.Request.Header.Get("HTTP_X_REQUESTED_WITH") == "XMLHttpRequest")
 	return (c.Ctx.Request.Header.Get("HTTP_X_REQUESTED_WITH") == "XMLHttpRequest")
 }
 }
+
+func (c *Controller) XsrfToken() string {
+	if c._xsrf_token == "" {
+		token := c.Ctx.GetCookie("_xsrf")
+		if token == "" {
+			h := hmac.New(sha1.New, []byte(XSRFKEY))
+			fmt.Fprintf(h, "%s:%d", c.Ctx.Request.RemoteAddr, time.Now().UnixNano())
+			tok := fmt.Sprintf("%s:%d", h.Sum(nil), time.Now().UnixNano())
+			token := base64.URLEncoding.EncodeToString([]byte(tok))
+			c.Ctx.SetCookie("_xsrf", token)
+		}
+		c._xsrf_token = token
+	}
+	return c._xsrf_token
+}
+
+func (c *Controller) CheckXsrfCookie() bool {
+	token := c.GetString("_xsrf")
+
+	if token == "" {
+		token = c.Ctx.Request.Header.Get("X-Xsrftoken")
+	}
+	if token == "" {
+		token = c.Ctx.Request.Header.Get("X-Csrftoken")
+	}
+	if token == "" {
+		c.Ctx.Abort(403, "'_xsrf' argument missing from POST")
+	}
+
+	if c._xsrf_token != token {
+		c.Ctx.Abort(403, "XSRF cookie does not match POST argument")
+	}
+	return true
+}
+
+func (c *Controller) XsrfFormHtml() string {
+	return "<input type=\"hidden\" name=\"_xsrf\" value=\"" +
+		c._xsrf_token + "\"/>"
+}