mindoc-org
/
mindoc
mirror of https://github.com/mindoc-org/mindoc.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat:1、增加登录注册跨站攻击防护 

2、移除上传图片默认的域名
pull/425/head
lifei6671 2018-11-14 12:02:52 +08:00
parent c666fcbed8
commit 27d42d194c
6 changed files with 41 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
conf/enumerate.go
View File

@ -234,10 +234,8 @@ func URLForWithCdnImage(p string) string {
cdn := beego.AppConfig.DefaultString("cdnimg", "")
//如果没有设置cdn则使用baseURL拼接
if cdn == "" {
baseUrl := beego.AppConfig.DefaultString("baseurl", "")
if baseUrl == "" {
baseUrl = BaseUrl
}
baseUrl := beego.AppConfig.DefaultString("baseurl", "/")
if strings.HasPrefix(p, "/") && strings.HasSuffix(baseUrl, "/") {
return baseUrl + p[1:]
}
@ -267,10 +265,8 @@ func URLForWithCdnCss(p string, v ...string) string {
}
//如果没有设置cdn则使用baseURL拼接
if cdn == "" {
baseUrl := beego.AppConfig.DefaultString("baseurl", "")
if baseUrl == "" {
baseUrl = BaseUrl
}
baseUrl := beego.AppConfig.DefaultString("baseurl", "/")
if strings.HasPrefix(p, "/") && strings.HasSuffix(baseUrl, "/") {
return baseUrl + p[1:]
}
@ -302,10 +298,8 @@ func URLForWithCdnJs(p string, v ...string) string {
//如果没有设置cdn则使用baseURL拼接
if cdn == "" {
baseUrl := beego.AppConfig.DefaultString("baseurl", "")
if baseUrl == "" {
baseUrl = BaseUrl
}
baseUrl := beego.AppConfig.DefaultString("baseurl", "/")
if strings.HasPrefix(p, "/") && strings.HasSuffix(baseUrl, "/") {
return baseUrl + p[1:]
}

31
controllers/AccountController.go
View File

@ -12,6 +12,7 @@ import (
"github.com/lifei6671/mindoc/conf"
"github.com/lifei6671/mindoc/models"
"github.com/lifei6671/mindoc/utils"
"html/template"
)
// AccountController 用户登录与注册
@ -19,9 +20,39 @@ type AccountController struct {
BaseController
}
func (c *AccountController) Prepare() {
c.BaseController.Prepare()
c.EnableXSRF = true
c.Data["xsrfdata"]=template.HTML(c.XSRFFormHTML())
if c.Ctx.Input.IsPost() {
token := c.Ctx.Input.Query("_xsrf")
if token == "" {
token = c.Ctx.Request.Header.Get("X-Xsrftoken")
}
if token == "" {
token = c.Ctx.Request.Header.Get("X-Csrftoken")
}
if token == "" {
if c.IsAjax() {
c.JsonResult(403,"非法请求")
} else {
c.ShowErrorPage(403, "非法请求")
}
}
xsrfToken := c.XSRFToken()
if xsrfToken != token {
if c.IsAjax() {
c.JsonResult(403,"非法请求")
} else {
c.ShowErrorPage(403, "非法请求")
}
}
}
}
// Login 用户登录
func (c *AccountController) Login() {
c.Prepare()
c.TplName = "account/login.tpl"
if member, ok := c.GetSession(conf.LoginSessionName).(models.Member); ok && member.MemberId > 0 {

1
views/account/find_password_setp1.tpl
View File

@ -34,6 +34,7 @@
<div class="row login">
<div class="login-body">
<form role="form" method="post" id="findPasswordForm">
{{ .xsrfdata }}
<h3 class="text-center">找回密码</h3>
<div class="form-group">
<div class="input-group">

1
views/account/find_password_setp2.tpl
View File

@ -34,6 +34,7 @@
<div class="row login">
<div class="login-body">
<form role="form" method="post" id="findPasswordForm" action="{{urlfor "AccountController.ValidEmail"}}">
{{ .xsrfdata }}
<input type="hidden" name="token" value="{{.Token}}">
<input type="hidden" name="mail" value="{{.Email}}">
<h3 class="text-center">找回密码</h3>

1
views/account/login.tpl
View File

@ -29,6 +29,7 @@
<div class="row login">
<div class="login-body">
<form role="form" method="post">
{{ .xsrfdata }}
<h3 class="text-center">用户登录</h3>
<div class="form-group">
<div class="input-group">

1
views/account/register.tpl
View File

@ -34,6 +34,7 @@
<div class="row login">
<div class="login-body">
<form role="form" method="post" id="registerForm">
{{ .xsrfdata }}
<h3 class="text-center">用户注册</h3>
<div class="form-group">
<div class="input-group">