Browse Source

Added optional csrf_key to config to better support H/A configurations. Fixes #1816. Fixes #1820.

pull/1557/merge
Jordan Wright 1 year ago
parent
commit
a0e8c4a369
3 changed files with 9 additions and 2 deletions
  1. +3
    -1
      config/config.go
  2. +1
    -0
      config/config_test.go
  3. +5
    -1
      controllers/route.go

+ 3
- 1
config/config.go View File

@ -2,8 +2,9 @@ package config
import (
"encoding/json"
log "github.com/gophish/gophish/logger"
"io/ioutil"
log "github.com/gophish/gophish/logger"
)
// AdminServer represents the Admin server configuration details
@ -12,6 +13,7 @@ type AdminServer struct {
UseTLS bool `json:"use_tls"`
CertPath string `json:"cert_path"`
KeyPath string `json:"key_path"`
CSRFKey string `json:"csrf_key"`
}
// PhishServer represents the Phish server configuration details

+ 1
- 0
config/config_test.go View File

@ -62,6 +62,7 @@ func TestLoadConfig(t *testing.T) {
}
expectedConfig.MigrationsPath = expectedConfig.MigrationsPath + expectedConfig.DBName
expectedConfig.TestFlag = false
expectedConfig.AdminConf.CSRFKey = ""
if !reflect.DeepEqual(expectedConfig, conf) {
t.Fatalf("invalid config received. expected %#v got %#v", expectedConfig, conf)
}

+ 5
- 1
controllers/route.go View File

@ -138,7 +138,11 @@ func (as *AdminServer) registerRoutes() {
router.PathPrefix("/").Handler(http.FileServer(unindexed.Dir("./static/")))
// Setup CSRF Protection
csrfHandler := csrf.Protect([]byte(util.GenerateSecureKey()),
csrfKey := []byte(as.config.CSRFKey)
if len(csrfKey) == 0 {
csrfKey = []byte(util.GenerateSecureKey())
}
csrfHandler := csrf.Protect(csrfKey,
csrf.FieldName("csrf_token"),
csrf.Secure(as.config.UseTLS))
adminHandler := csrfHandler(router)

Loading…
Cancel
Save