crash.software
Projects
Pull Requests
Issues
Builds
gophish
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY gophish Commits 78e9a511
🤬

  • Add Trusted Origins to CSRF Handler (#2301)

    Enables the user to add addresses that they expect incoming connections
to come from. Helpful in cases where TLS termination is handled by a
load balancer upstream, rather than the application itself.
  • Loading...
  • Mark Cabanero committed with GitHub 2 years ago
    78e9a511
    1 parent 3863ad31
  • ■ ■ ■ ■ ■
    config/config.go
    skipped 14 lines
    15 15   KeyPath string `json:"key_path"`
    16 16   CSRFKey string `json:"csrf_key"`
    17 17   AllowedInternalHosts []string `json:"allowed_internal_hosts"`
     18 + TrustedOrigins []string `json:"trusted_origins"`
    18 19  }
    19 20   
    20 21  // PhishServer represents the Phish server configuration details
    skipped 48 lines
  • ■ ■ ■ ■ ■
    config.json
    skipped 2 lines
    3 3   "listen_url": "127.0.0.1:3333",
    4 4   "use_tls": true,
    5 5   "cert_path": "gophish_admin.crt",
    6  - "key_path": "gophish_admin.key"
     6 + "key_path": "gophish_admin.key",
     7 + "trusted_origins": []
    7 8   },
    8 9   "phish_server": {
    9 10   "listen_url": "0.0.0.0:80",
    skipped 14 lines
  • ■ ■ ■ ■ ■
    controllers/route.go
    skipped 153 lines
    154 154   }
    155 155   csrfHandler := csrf.Protect(csrfKey,
    156 156   csrf.FieldName("csrf_token"),
    157  - csrf.Secure(as.config.UseTLS))
     157 + csrf.Secure(as.config.UseTLS),
     158 + csrf.TrustedOrigins(as.config.TrustedOrigins))
    158 159   adminHandler := csrfHandler(router)
    159 160   adminHandler = mid.Use(adminHandler.ServeHTTP, mid.CSRFExceptions, mid.GetContext, mid.ApplySecurityHeaders)
    160 161   
    skipped 335 lines
  • ■ ■ ■ ■ ■ ■
    docker/run.sh
    skipped 24 lines
    25 25   '.admin_server.key_path = $ADMIN_KEY_PATH' config.json > config.json.tmp && \
    26 26   cat config.json.tmp > config.json
    27 27  fi
     28 +if [ -n "${ADMIN_TRUSTED_ORIGINS+set}" ] ; then
     29 + jq -r \
     30 + --arg ADMIN_TRUSTED_ORIGINS "${ADMIN_TRUSTED_ORIGINS}" \
     31 + '.admin_server.trusted_origins = ($ADMIN_TRUSTED_ORIGINS|split(","))' config.json > config.json.tmp && \
     32 + cat config.json.tmp > config.json
     33 +fi
    28 34   
    29 35  # set config for phish_server
    30 36  if [ -n "${PHISH_LISTEN_URL+set}" ] ; then
    skipped 45 lines
Please wait...
Page is in error, reload to recover