beenull/sftpgo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

respect token validation mode for CSRF header

Browse source 
Fixes #1104

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino 2022-12-16 19:14:56 +01:00
parent 2da3eabc12
commit 147ad3b230
No known key found for this signature in database
GPG key ID: 935D2952DEC4EECF
1 changed files with 6 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
internal/httpd/middleware.go
View file

@ -305,11 +305,13 @@ func verifyCSRFHeader(next http.Handler) http.Handler {
return
}
if tokenValidationMode != tokenValidationNoIPMatch {
if !util.Contains(token.Audience(), util.GetIPFromRemoteAddress(r.RemoteAddr)) {
logger.Debug(logSender, "", "error validating CSRF header IP audience")
sendAPIResponse(w, r, errors.New("the token is not valid"), "", http.StatusForbidden)
return
}
}
next.ServeHTTP(w, r)
})