Merge pull request #306 from Bwko/Security

Fixes xss, clickjacking & password autocompletion
This commit is contained in:
Matthias Loibl 2016-11-30 08:22:45 +01:00 committed by GitHub
commit 6dc6926abe
5 changed files with 13 additions and 10 deletions

View file

@ -6,6 +6,7 @@ package context
import ( import (
"fmt" "fmt"
"html"
"html/template" "html/template"
"io" "io"
"net/http" "net/http"
@ -186,8 +187,10 @@ func Contexter() macaron.Handler {
} }
} }
ctx.Data["CsrfToken"] = x.GetToken() ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`)
ctx.Data["CsrfToken"] = html.EscapeString(x.GetToken())
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)
log.Debug("Session ID: %s", sess.ID()) log.Debug("Session ID: %s", sess.ID())
log.Debug("CSRF Token: %v", ctx.Data["CsrfToken"]) log.Debug("CSRF Token: %v", ctx.Data["CsrfToken"])

View file

@ -13,7 +13,7 @@
{{if .IsResetForm}} {{if .IsResetForm}}
<div class="required inline field {{if .Err_Password}}error{{end}}"> <div class="required inline field {{if .Err_Password}}error{{end}}">
<label for="password">{{.i18n.Tr "password"}}</label> <label for="password">{{.i18n.Tr "password"}}</label>
<input id="password" name="password" type="password" value="{{.password}}" autofocus required> <input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" autofocus required>
</div> </div>
<div class="ui divider"></div> <div class="ui divider"></div>
<div class="inline field"> <div class="inline field">

View file

@ -15,7 +15,7 @@
</div> </div>
<div class="required inline field {{if .Err_Password}}error{{end}}"> <div class="required inline field {{if .Err_Password}}error{{end}}">
<label for="password">{{.i18n.Tr "password"}}</label> <label for="password">{{.i18n.Tr "password"}}</label>
<input id="password" name="password" type="password" value="{{.password}}" required> <input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" required>
</div> </div>
<div class="inline field"> <div class="inline field">
<label></label> <label></label>

View file

@ -22,11 +22,11 @@
</div> </div>
<div class="required inline field {{if .Err_Password}}error{{end}}"> <div class="required inline field {{if .Err_Password}}error{{end}}">
<label for="password">{{.i18n.Tr "password"}}</label> <label for="password">{{.i18n.Tr "password"}}</label>
<input id="password" name="password" type="password" value="{{.password}}" required> <input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" required>
</div> </div>
<div class="required inline field {{if .Err_Password}}error{{end}}"> <div class="required inline field {{if .Err_Password}}error{{end}}">
<label for="retype">{{.i18n.Tr "re_type"}}</label> <label for="retype">{{.i18n.Tr "re_type"}}</label>
<input id="retype" name="retype" type="password" value="{{.retype}}" required> <input id="retype" name="retype" type="password" value="{{.retype}}" autocomplete="off" required>
</div> </div>
{{if .EnableCaptcha}} {{if .EnableCaptcha}}
<div class="inline field"> <div class="inline field">

View file

@ -14,15 +14,15 @@
{{.CsrfTokenHtml}} {{.CsrfTokenHtml}}
<div class="required field {{if .Err_OldPassword}}error{{end}}"> <div class="required field {{if .Err_OldPassword}}error{{end}}">
<label for="old_password">{{.i18n.Tr "settings.old_password"}}</label> <label for="old_password">{{.i18n.Tr "settings.old_password"}}</label>
<input id="old_password" name="old_password" type="password" autofocus required> <input id="old_password" name="old_password" type="password" autocomplete="off" autofocus required>
</div> </div>
<div class="required field {{if .Err_Password}}error{{end}}"> <div class="required field {{if .Err_Password}}error{{end}}">
<label for="password">{{.i18n.Tr "settings.new_password"}}</label> <label for="password">{{.i18n.Tr "settings.new_password"}}</label>
<input id="password" name="password" type="password" required> <input id="password" name="password" type="password" autocomplete="off" required>
</div> </div>
<div class="required field {{if .Err_Password}}error{{end}}"> <div class="required field {{if .Err_Password}}error{{end}}">
<label for="retype">{{.i18n.Tr "settings.retype_new_password"}}</label> <label for="retype">{{.i18n.Tr "settings.retype_new_password"}}</label>
<input id="retype" name="retype" type="password" required> <input id="retype" name="retype" type="password" autocomplete="off" required>
</div> </div>
<div class="field"> <div class="field">
@ -33,7 +33,7 @@
<div class="ui info message"> <div class="ui info message">
<p class="text left">{{$.i18n.Tr "settings.password_change_disabled"}}</p> <p class="text left">{{$.i18n.Tr "settings.password_change_disabled"}}</p>
</div> </div>
{{end}} {{end}}
</div> </div>
</div> </div>
</div> </div>