Comments (13)
@kris-runzer I have the fix outlined. I'll be conservative and say it's coming this week.
from nosurf.
Do you have an example? Are you using WithContext() on the request at all?
On Tue, Aug 30, 2016 at 8:10 PM Jack [email protected] wrote:
When compiled in Go 1.7, nosurf.Token(r) returns empty string.
I've tried the -gcflags=-ssa=0 as suggested by the 1.7 release note, but
it didn't help.
https://golang.org/doc/go1.7—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#35, or mute the thread
https://github.com/notifications/unsubscribe-auth/AABIcLhP1Poj9jHsFqCFN8Cndl2fRfm5ks5qlPCTgaJpZM4JxMBd
.
from nosurf.
Tests seem to pass on go version go1.7 linux/amd64
. Getting more info would be helpful.
from nosurf.
@elithrar good catch on WithContext()
: could definitely be the culprit:
func handler(w http.ResponseWriter, r *http.Request) {
r2 := r.WithContext(...)
token := nosurf.Token(r2)
}
would definitely return an empty token, as r2 points to a different memory location and thus the context map lookup would fail.
I have been thinking about doing a conditional build for ctxSetReason/ctxSetToken/ctxClear
that would leverage r.Context
on Go >= 1.7 anyway. Should be a pretty clean fix.
from nosurf.
I tested this using the authboss-sample app (unmodified).
https://github.com/go-authboss/authboss-sample
I don't see that it uses WithContext so may be something else. The cookie is set properly, but the hidden csrf field in the form is empty.
from nosurf.
Hi, are you able to reproduce this issue under Go 1.7 using the authboss-sample? You can just compile and run it, then go to the login page and view the hidden csrf_token field. You will see that it's empty when compiled under 1.7.
from nosurf.
The nosurf README example works for me—unmodified—in Go 1.7. What browser are you testing in, @jack-chung?
@jack-chung The authboss-sample is giving me the following error:
2016/09/04 15:05:32 Failed to validate XSRF Token: The CSRF token in the cookie doesn't match the one received in a form/header.
The form does not (as you say) populate the hidden <input>
with the token. I assume the way the example is using nosurf is at fault here, but I don't have the time to check into it.
from nosurf.
I am able to narrow this down after testing more. It seems to be caused by the use of gorilla mux.
Taking the nosurf README example code, and changing the main function from:
myHandler := http.HandlerFunc(myFunc)
fmt.Println("Listening on http://127.0.0.1:8000/")
http.ListenAndServe(":8000", nosurf.New(myHandler))
to:
mux := mux.NewRouter()
mux.HandleFunc("/", myFunc)
fmt.Println("Listening on http://127.0.0.1:8000/")
http.ListenAndServe(":8000", nosurf.New(mux))
will reproduce the problem. It works when compiled under Go 1.6, but nosurf.Token returns empty string when compiled under 1.7.
Is this helpful? I looked through the gorilla bug list and there are a few related to go 1.7. They all seem to be related to the use of request.WithContext(), but I'm not sure why the use of mux here would cause a problem.
from nosurf.
nosurf does not use the new context, which means that when mux (for Go 1.7)
calls WithContext, the CSRF token in nosurf's map[*http.Request]token is
"islanded" as WithContext performs a shallow copy.
The map key, being the request, no longer points to the correct request.
This problem exists for any library using a global map based on
http.Request + using *any library that uses the new WithContext() shallow
copy. https://github.com/gorilla/csrf uses the new context when built on Go
1.7, and it should be an easy fix for nosurf as well (copy paste, almost).
On Tue, Sep 6, 2016 at 10:11 PM Jack [email protected] wrote:
I am able to narrow this now after testing more. It seems to be caused by
the use of gorilla mux.
Taking the nosurf README example code, and changing the main function from:
myHandler := http.HandlerFunc(myFunc)
fmt.Println("Listening on http://127.0.0.1:8000/")
http.ListenAndServe(":8000", nosurf.New(myHandler))to:
` mux := mux.NewRouter()
mux.HandleFunc("/", myFunc)fmt.Println("Listening on http://127.0.0.1:8000/")
http.ListenAndServe(":8000", nosurf.New(mux))`will reproduce the problem. It works when compiled under Go 1.6, but
nosurf.Token returns empty string when compiled under 1.7.Is this helpful? I looked through the gorilla bug list and there are a few
related to go 1.7. They all seem to be related to the use of
request.WithContext(), but I'm not sure why the use of mux here would cause
a problem.—
You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub
#35 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AABIcJQH7AK1SWZNiv6F0kYOHhCgq2iMks5qnkdkgaJpZM4JxMBd
.
from nosurf.
So the plan remains to use conditional compiling to support 1.7's Context. Should solve this whole class of problems. Thanks @elithrar for looking into this.
from nosurf.
Hello @justinas; I was wondering if you have a timeline for this fix?
Thanks
from nosurf.
Thanks @justinas! I'm having the exact same issue. If it helps, I've used the same approach that @elithrar helpfully created for their csrf and mux packages (using build tags to provide backward compatibility) and it works like a charm.
I'm looking forward to the fix!
from nosurf.
Should be fixed as of f57d555, at least from what I can tell from the tests. Will wait for someone to confirm in a real world scenario before closing. @jack-chung @kris-runzer @jordan-wright
from nosurf.
Related Issues (20)
- Filtering out safe methods and excluded paths HOT 2
- Token value error HOT 6
- Send a response body in defaultFailureHandler HOT 2
- please consider updating tags or deleting the current tag HOT 3
- example is insecure HOT 4
- Remove Referer check HOT 1
- Possible flaw HOT 2
- SetBaseCookie not having effect HOT 8
- Wiki page for newbies doubts and problems
- Doubts about many cookies and many Path for a single domain. HOT 13
- Prevent form resubmit HOT 1
- Logging HOT 1
- Combining Session and CSRF cookie HOT 3
- Is this normal behavior? HOT 5
- RegenerateToken generates two CSRF cookies when no previous CSRF cookie was set
- How does nosurf OTP protect against BREACH? HOT 5
- Inappropriate key in call to `context.WithValue`
- Ability to handle multiple cookies in context HOT 5
- Installing command of `nosurf` is missing in README.md
- CSRF failed with bad request HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nosurf.