Generate and store CSRF token in the session
Signed-off-by: DL6ER <dl6er@dl6er.de>
This commit is contained in:
parent
6975a17c7c
commit
f5f0354b3c
|
@ -77,30 +77,10 @@ index 81f642be..ed360a76 100644
|
|||
CIVETWEB_API int
|
||||
mg_send_http_error(struct mg_connection *conn, int status, const char *fmt, ...)
|
||||
{
|
||||
@@ -10649,6 +10649,10 @@ parse_http_request(char *buf, int len, struct mg_request_info *ri)
|
||||
NULL;
|
||||
ri->num_headers = 0;
|
||||
|
||||
+ /******************** Pi-hole modification ********************/
|
||||
+ strncpy(ri->raw_http_head, buf, sizeof(ri->raw_http_head));
|
||||
+ /**************************************************************/
|
||||
+
|
||||
/* RFC says that all initial whitespaces should be ignored */
|
||||
/* This included all leading \r and \n (isspace) */
|
||||
/* See table: http://www.cplusplus.com/reference/cctype/ */
|
||||
diff --git a/src/webserver/civetweb/civetweb.h b/src/webserver/civetweb/civetweb.h
|
||||
index 7ea45fb2..f879ff3e 100644
|
||||
--- a/src/webserver/civetweb/civetweb.h
|
||||
+++ b/src/webserver/civetweb/civetweb.h
|
||||
@@ -186,6 +186,8 @@ struct mg_request_info {
|
||||
|
||||
const char *acceptedWebSocketSubprotocol; /* websocket subprotocol,
|
||||
* accepted during handshake */
|
||||
+ // Pi-hole modification
|
||||
+ char raw_http_head[16384];
|
||||
};
|
||||
|
||||
|
||||
@@ -963,6 +964,16 @@ CIVETWEB_API int mg_send_http_error(struct mg_connection *conn,
|
||||
PRINTF_FORMAT_STRING(const char *fmt),
|
||||
...) PRINTF_ARGS(3, 4);
|
||||
|
|
|
@ -40,8 +40,8 @@
|
|||
#define NETTLE_SIGN
|
||||
#endif
|
||||
|
||||
// How many bits should the SID use?
|
||||
#define SID_BITSIZE 160
|
||||
// How many bits should the SID and CSRF token use?
|
||||
#define SID_BITSIZE 128
|
||||
#define SID_SIZE BASE64_ENCODE_RAW_LENGTH(SID_BITSIZE/8)
|
||||
|
||||
// SameSite=Strict: Defense against some classes of cross-site request forgery
|
||||
|
@ -68,7 +68,8 @@ static struct {
|
|||
char remote_addr[48]; // Large enough for IPv4 and IPv6 addresses, hard-coded in civetweb.h as mg_request_info.remote_addr
|
||||
char user_agent[128];
|
||||
char sid[SID_SIZE];
|
||||
} auth_data[API_MAX_CLIENTS] = {{false, {false, false}, 0, 0, {0}, {0}, {0}}};
|
||||
char csrf[SID_SIZE];
|
||||
} auth_data[API_MAX_CLIENTS] = {{false, {false, false}, 0, 0, {0}, {0}, {0}, {0}}};
|
||||
|
||||
// Can we validate this client?
|
||||
// Returns -1 if not authenticated or expired
|
||||
|
@ -190,6 +191,9 @@ int check_client_auth(struct ftl_conn *api)
|
|||
return send_json_error(api, 500, "internal_error", "Internal server error", NULL);
|
||||
}
|
||||
|
||||
// Copy CSRF token into request
|
||||
strncpy((char*)api->request->csrf_token, auth_data[user_id].csrf, sizeof(api->request->csrf_token) - 1);
|
||||
|
||||
if(config.debug.api.v.b)
|
||||
{
|
||||
char timestr[128];
|
||||
|
@ -517,8 +521,9 @@ int api_auth(struct ftl_conn *api)
|
|||
auth_data[i].tls.login = api->request->is_ssl;
|
||||
auth_data[i].tls.mixed = false;
|
||||
|
||||
// Generate new SID
|
||||
// Generate new SID and CSRF token
|
||||
generateSID(auth_data[i].sid);
|
||||
generateSID(auth_data[i].csrf);
|
||||
|
||||
user_id = i;
|
||||
break;
|
||||
|
|
|
@ -10975,10 +10975,6 @@ parse_http_request(char *buf, int len, struct mg_request_info *ri)
|
|||
NULL;
|
||||
ri->num_headers = 0;
|
||||
|
||||
/******************** Pi-hole modification ********************/
|
||||
strncpy(ri->raw_http_head, buf, sizeof(ri->raw_http_head));
|
||||
/**************************************************************/
|
||||
|
||||
/* RFC says that all initial whitespaces should be ignored */
|
||||
/* This included all leading \r and \n (isspace) */
|
||||
/* See table: http://www.cplusplus.com/reference/cctype/ */
|
||||
|
|
|
@ -183,8 +183,6 @@ struct mg_request_info {
|
|||
|
||||
const char *acceptedWebSocketSubprotocol; /* websocket subprotocol,
|
||||
* accepted during handshake */
|
||||
// Pi-hole modification
|
||||
char raw_http_head[16384];
|
||||
};
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue