|
@@ -22,6 +22,7 @@ import (
|
|
|
"gogs.io/gogs/internal/db"
|
|
|
"gogs.io/gogs/internal/errutil"
|
|
|
"gogs.io/gogs/internal/form"
|
|
|
+ "gogs.io/gogs/internal/lazyregexp"
|
|
|
"gogs.io/gogs/internal/template"
|
|
|
)
|
|
|
|
|
@@ -228,6 +229,11 @@ func (c *Context) ServeContent(name string, r io.ReadSeeker, params ...interface
|
|
|
http.ServeContent(c.Resp, c.Req.Request, name, modtime, r)
|
|
|
}
|
|
|
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+var csrfTokenExcludePattern = lazyregexp.New(`[^a-zA-Z0-9-_].*`)
|
|
|
+
|
|
|
|
|
|
func Contexter() macaron.Handler {
|
|
|
return func(ctx *macaron.Context, l i18n.Locale, cache cache.Cache, sess session.Store, f *session.Flash, x csrf.CSRF) {
|
|
@@ -276,8 +282,12 @@ func Contexter() macaron.Handler {
|
|
|
}
|
|
|
}
|
|
|
|
|
|
- c.Data["CSRFToken"] = x.GetToken()
|
|
|
- c.Data["CSRFTokenHTML"] = template.Safe(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`)
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+ csrfToken := csrfTokenExcludePattern.ReplaceAllString(x.GetToken(), "")
|
|
|
+ c.Data["CSRFToken"] = csrfToken
|
|
|
+ c.Data["CSRFTokenHTML"] = template.Safe(`<input type="hidden" name="_csrf" value="` + csrfToken + `">`)
|
|
|
log.Trace("Session ID: %s", sess.ID())
|
|
|
log.Trace("CSRF Token: %v", c.Data["CSRFToken"])
|
|
|
|