cristiancmoises
/
gophish
mirror of https://github.com/gophish/gophish
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Refined CSRF Protection Exempt Glob (/api/* to /api/*/*) to provide CSRF protection /api/reset 

Added stub for /api/campaigns/:id/launch
pull/24/head
Jordan 2014-02-03 23:41:31 -06:00
parent e0e15221b1
commit 7045c7f3e2
3 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
controllers/api.go
View File

@ -126,6 +126,10 @@ func API_Campaigns_Id(w http.ResponseWriter, r *http.Request) {
} }
} }
func API_Campaigns_Id_Launch(w http.ResponseWriter, r *http.Request) {
http.Redirect(w, r, "/", 302)
}
// API_Groups returns details about the requested group. If the campaign is not // API_Groups returns details about the requested group. If the campaign is not
// valid, API_Groups returns null. // valid, API_Groups returns null.
func API_Groups(w http.ResponseWriter, r *http.Request) { func API_Groups(w http.ResponseWriter, r *http.Request) {

5
controllers/route.go
View File

@ -33,6 +33,7 @@ func CreateRouter() *nosurf.CSRFHandler {
api.HandleFunc("/reset", Use(API_Reset, mid.RequireLogin)) api.HandleFunc("/reset", Use(API_Reset, mid.RequireLogin))
api.HandleFunc("/campaigns", Use(API_Campaigns, mid.RequireAPIKey)) api.HandleFunc("/campaigns", Use(API_Campaigns, mid.RequireAPIKey))
api.HandleFunc("/campaigns/{id:[0-9]+}", Use(API_Campaigns_Id, mid.RequireAPIKey)) api.HandleFunc("/campaigns/{id:[0-9]+}", Use(API_Campaigns_Id, mid.RequireAPIKey))
api.HandleFunc("/campaigns/id:[0-9]+}", Use(API_Campaigns_Id_Launch, mid.RequireAPIKey))
api.HandleFunc("/groups", Use(API_Groups, mid.RequireAPIKey)) api.HandleFunc("/groups", Use(API_Groups, mid.RequireAPIKey))
api.HandleFunc("/groups/{id:[0-9]+}", Use(API_Groups_Id, mid.RequireAPIKey)) api.HandleFunc("/groups/{id:[0-9]+}", Use(API_Groups_Id, mid.RequireAPIKey))
@ -41,7 +42,7 @@ func CreateRouter() *nosurf.CSRFHandler {
//Setup CSRF Protection //Setup CSRF Protection
csrfHandler := nosurf.New(router) csrfHandler := nosurf.New(router)
csrfHandler.ExemptGlob("/api/*") csrfHandler.ExemptGlob("/api/*/*")
csrfHandler.ExemptGlob("/static/*") csrfHandler.ExemptGlob("/static/*")
return csrfHandler return csrfHandler
} }
@ -98,8 +99,10 @@ func Settings(w http.ResponseWriter, r *http.Request) {
User models.User User models.User
Title string Title string
Flashes []interface{} Flashes []interface{}
Token string
}{Title: "Settings", User: ctx.Get(r, "user").(models.User)} }{Title: "Settings", User: ctx.Get(r, "user").(models.User)}
session := ctx.Get(r, "session").(*sessions.Session) session := ctx.Get(r, "session").(*sessions.Session)
params.Token = nosurf.Token(r)
params.Flashes = session.Flashes() params.Flashes = session.Flashes()
session.Save(r, w) session.Save(r, w)
getTemplate(w, "settings").ExecuteTemplate(w, "base", params) getTemplate(w, "settings").ExecuteTemplate(w, "base", params)

1
templates/settings.html
View File

@ -44,7 +44,6 @@
<button class="btn btn-primary"><i class="fa fa-refresh" type="submit"></i> Reset</button> <button class="btn btn-primary"><i class="fa fa-refresh" type="submit"></i> Reset</button>
<input type="hidden" name="csrf_token" value={{%.Token%}}/> <input type="hidden" name="csrf_token" value={{%.Token%}}/>
</form> </form>
</a>
</div> </div>
<br /> <br />
<button class="btn btn-primary">Save</button> <button class="btn btn-primary">Save</button>