Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redirect on bad CSRF instead of presenting bad page #14937

Merged
merged 5 commits into from
Jul 8, 2021

Conversation

zeripath
Copy link
Contributor

@zeripath zeripath commented Mar 9, 2021

The current CSRF handler is a bit harsh with bad CSRF tokens on webpages
I think we can be a little kinder and redirect to base page with a flash error

Fix #14167

Signed-off-by: Andrew Thornton art27@cantab.net

The current CSRF handler is a bit harsh with bad CSRF tokens on webpages
I think we can be a little kinder and redirect to base page with a flash error

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath added the topic/ui Change the appearance of the Gitea UI label Mar 9, 2021
@CL-Jeremy
Copy link
Contributor

Hmm, this certainly improves UE greatly, but I don't think merging this should close that issue entirely (although that issue lacks details for further investigation to take place).

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 14, 2021
@zeripath zeripath added this to the 1.15.0 milestone Mar 18, 2021
@lunny
Copy link
Member

lunny commented Mar 22, 2021

But the submitted form information will be lost. Before we can click back button on browser to return back to form page.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jun 30, 2021
@jpraet
Copy link
Member

jpraet commented Jun 30, 2021

But the submitted form information will be lost. Before we can click back button on browser to return back to form page.

The back button still works for me.

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jul 8, 2021
@codecov-commenter
Copy link

Codecov Report

Merging #14937 (e129316) into main (fc1607b) will decrease coverage by 0.00%.
The diff coverage is 13.33%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main   #14937      +/-   ##
==========================================
- Coverage   45.51%   45.51%   -0.01%     
==========================================
  Files         709      709              
  Lines       83755    83767      +12     
==========================================
+ Hits        38120    38124       +4     
- Misses      39500    39508       +8     
  Partials     6135     6135              
Impacted Files Coverage Δ
modules/context/csrf.go 70.17% <13.33%> (-11.20%) ⬇️
services/pull/pull.go 41.99% <0.00%> (ø)
models/gpg_key.go 51.99% <0.00%> (+0.56%) ⬆️
modules/queue/workerpool.go 54.96% <0.00%> (+0.76%) ⬆️
modules/log/event.go 59.90% <0.00%> (+0.94%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fc1607b...e129316. Read the comment docs.

@6543 6543 merged commit d06f9ce into go-gitea:main Jul 8, 2021
@lunny
Copy link
Member

lunny commented Jul 8, 2021

I think it's better to back port to v1.14

6543 pushed a commit to 6543-forks/gitea that referenced this pull request Jul 8, 2021
The current CSRF handler is a bit harsh with bad CSRF tokens on webpages
I think we can be a little kinder and redirect to base page with a flash error

Signed-off-by: Andrew Thornton <art27@cantab.net>
@6543
Copy link
Member

6543 commented Jul 8, 2021

-> #16378

@6543 6543 added the backport/done All backports for this PR have been created label Jul 8, 2021
6543 added a commit that referenced this pull request Jul 8, 2021
The current CSRF handler is a bit harsh with bad CSRF tokens on webpages
I think we can be a little kinder and redirect to base page with a flash error

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: zeripath <art27@cantab.net>
@zeripath zeripath deleted the invalid-csrf-redirect branch July 16, 2021 08:52
AbdulrhmnGhanem pushed a commit to kitspace/gitea that referenced this pull request Aug 10, 2021
The current CSRF handler is a bit harsh with bad CSRF tokens on webpages
I think we can be a little kinder and redirect to base page with a flash error

Signed-off-by: Andrew Thornton <art27@cantab.net>
@go-gitea go-gitea locked and limited conversation to collaborators Oct 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/ui Change the appearance of the Gitea UI
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Blank page with "Invalid csrf token."
7 participants