Comments (12)
I can't replicate your problem: sending a POST form to /admin/form
from /front
works as expected.
I've added a html/template
to your code and replaced the handlers (as I don't have the code for those) - no issues posting over a PathPrefix
.
package main
import (
"fmt"
"log"
"net/http"
"text/template"
"github.com/codegangsta/negroni"
"github.com/gorilla/csrf"
"github.com/gorilla/mux"
)
var form = `
<html>
<head>
<title>Sign Up!</title>
</head>
<body>
<form method="POST" action="/admin/form" accept-charset="UTF-8">
<input type="text" name="name">
<input type="text" name="email">
<!--
The default template tag used by the CSRF middleware .
This will be replaced with a hidden <input> field containing the
masked CSRF token.
-->
{{ .csrfField }}
<input type="submit" value="Sign up!">
</form>
</body>
</html>
`
var t = template.Must(template.New("signup_form.tmpl").Parse(form))
func Index(w http.ResponseWriter, r *http.Request) {
t.ExecuteTemplate(w, "signup_form.tmpl", map[string]interface{}{
csrf.TemplateTag: csrf.TemplateField(r),
})
}
func Form(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "%v\n", r.PostForm)
}
func main() {
CSRF := csrf.Protect(
[]byte("a-32-byte-long-key-goes-here"),
)
router := mux.NewRouter()
router.HandleFunc("/front", Index)
adminRoutes := mux.NewRouter()
adminRoutes.HandleFunc("/admin/form", Form)
router.PathPrefix("/admin").Handler(negroni.New(
negroni.NewRecovery(),
//middleware.NewCheckLogin(),
negroni.Wrap(adminRoutes),
))
n := negroni.New(
negroni.NewRecovery(),
)
n.UseHandler(CSRF(router))
log.Fatal(http.ListenAndServe(":3001", n))
}
If you're still having issues, can you show more of your code? There is a language barrier between us but the code may help explain. Check that your NewCheckLogin()
middleware isn't interfering.
from csrf.
好的,感谢你的帮忙,我现在先自己检查一下问题,似乎不是 github.com/gorilla/csrf 的问题。
from csrf.
No problem. Let me know if you run into other issues.
from csrf.
Ok,thanks.
from csrf.
@elithrar 我这几天,排查了一下问题,现在发现:如果 form 带 enctype="multipart/form-data",发生异常: Forbidden - CSRF token invalid,这种情况算是 bug 吗?
from csrf.
引用你的代码 form
加enctype="multipart/form-data"
,会出现上面说的问题,你也验证一下
package main
import (
"fmt"
"log"
"net/http"
"text/template"
"github.com/codegangsta/negroni"
"github.com/gorilla/csrf"
"github.com/gorilla/mux"
)
var form = `
<html>
<head>
<title>Sign Up!</title>
</head>
<body>
<form method="POST" action="/admin/form" enctype="multipart/form-data" accept-charset="UTF-8">
<input type="text" name="name">
<input type="text" name="email">
<input type="file" name="file">
<!--
The default template tag used by the CSRF middleware .
This will be replaced with a hidden <input> field containing the
masked CSRF token.
-->
{{ .csrfField }}
<input type="submit" value="Sign up!">
</form>
</body>
</html>
`
var t = template.Must(template.New("signup_form.tmpl").Parse(form))
func Index(w http.ResponseWriter, r *http.Request) {
t.ExecuteTemplate(w, "signup_form.tmpl", map[string]interface{}{
csrf.TemplateTag: csrf.TemplateField(r),
})
}
func Form(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "%v\n", r.PostForm)
}
func main() {
CSRF := csrf.Protect(
[]byte("a-32-byte-long-key-goes-here"),
)
router := mux.NewRouter()
router.HandleFunc("/front", Index)
adminRoutes := mux.NewRouter()
adminRoutes.HandleFunc("/admin/form", Form)
router.PathPrefix("/admin").Handler(negroni.Classic())
n := negroni.Classic()
n.UseHandler(CSRF(router))
log.Fatal(http.ListenAndServe(":3001", n))
}
from csrf.
I've updated the package to support multipart/form-data
. Run the following to grab the latest version:
go get -u github.com/gorilla/csrf
Hope that solves it!
from csrf.
现在发生 http status 400 错误,我的 web application 使用了 https://github.com/mholt/binding 处理 form 表单,结果 binding 提示:[{"classification":"DeserializationError","message":"http: multipart handled by ParseMultipartForm"}]。
from csrf.
现在 binding 和 csrf 结合使用,出现了问题。还不知道是哪个环节出问题。
from csrf.
Quick update: I'm looking into ways to solve this for package users. The
problem is that the CSRF package must call r.ParseMultipartForm
in order
to retrieve the CSRF token, but this means that downstream handlers end up
with an empty request body.
The solution may be to provide an option for copying the request body prior
to calling ParseForm and then re-populating it afterwards.
On Sun, Aug 9, 2015 at 5:56 PM 2goO [email protected] wrote:
现在 binding 和 csrf 结合使用,出现了问题。还不知道是哪个环节出问题。
—
Reply to this email directly or view it on GitHub
#2 (comment).
from csrf.
恩,好的。如果有个例子就更好了。
from csrf.
Could you please implement a verification method we can use within a handler?
gorilla/csrf doesn't work with r.MultipartReader
solution would be not to use the CSRF middleware and instead check if the token is ok in the handler for multi file uploads - i think
from csrf.
Related Issues (20)
- [question] Why should we pass the CSRF.Token in Header for a web Application and not in Cookie HOT 4
- [question] X-Csrf-Token is empty in Response headers (Secure is off) HOT 10
- [question] How to use gorilla/csrf for CSRF protection when authenticating with OpenID Connect? HOT 4
- Does gorilla-csrf really provide more security? HOT 7
- Default path can cause unexpected CSRF token rejections HOT 4
- [bug] Change default request header onto custom HOT 3
- csrf.go: ErrBadReferer due to empty r.URL.Host HOT 1
- [bug] Not providing token results in wrong error HOT 1
- [question] How do I set csrf token from React HOT 1
- Multiple _gorilla_csrf cookies create an issue HOT 2
- [bug] README.md does not mention the need to keep the CSRF key secret HOT 1
- user disabled/blocked cookies on their browser.
- [docs] HOT 1
- Cannot get basic version of in-browser Javascript application documentation working HOT 8
- Package is not `go get`able [bug] HOT 2
- CSRF middlware is not usable with go gin HOT 1
- [bug] Generate CSRF tokens for skipped requests
- Forbidden - CSRF token invalid
- [BUG] Middleware doesn't work with Chi HOT 1
- First request to protected endpoint fails, CSRF header is empty
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csrf.