Package: golang-github-gorilla-csrf

Package: golang-github-gorilla-csrf / 1.7.2+ds1-2

Metadata

Package	Version	Patches format
golang-github-gorilla-csrf	1.7.2+ds1-2	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
0001 Avoid non recoverable panic in test.patch \| (download)	helpers_test.go \| 8 6 + 2 - 0 ! 1 file changed, 6 insertions(+), 2 deletions(-)	avoid non-recoverable panic in test Since go 1.24 crypto/rand throws a non-recoverable fatal error when it fails to read random data, so this test needs to be disabled. See https://go.dev/issue/66821
CVE 2025 24358.patch \| (download)	csrf.go \| 89 75 + 14 - 0 ! csrf_test.go \| 325 224 + 101 - 0 ! helpers_test.go \| 24 8 + 16 - 0 ! 3 files changed, 307 insertions(+), 131 deletions(-)	merge commit from fork * csrf: use context to determine TLS state r.URL.Scheme is never populated for "server" requests, and so the referer check never runs. Instead we now ask the caller application to signal this explicitly via request conext, and then enforce the check accordingly. Separately, browsers do not always send the full URL as a Referer, especially in the same-origin context meaning we cannot compare its host against our trusted origin list. If the referer does not contain a host we populate r.URL.Host with r.Host which is expected to be sent by all clients as the first header of their request. Add tests against the Origin header before attempting to enforce same-origin restrictions using the Referer header. Matching the Django CSRF behavior: if the Origin is present in either the cleartext or TLS case we will evaluate it. IFF we are in TLS and we have no Origin we will evaluate the Referer against the allowlist. In doing so we take care to permit "path only" Referers that are sent in same-origin context. * add csrf.TLSRequest helper API to set request TLS context Add a csrf.TLSRequest public API method that sets the appropriate TLS context key and signals to the midldeware the need to run the additiontal Referer checks. * Enable Referer-based origin checks by default Reverse the default position and presume that that the server is using TLS either directly or via an upstream proxy and require the user to explicitly disable referer-based checks. This safe default means that users that upgrade the library without making any other code changes will benefit from the Referer checks that they thought were active already. Without this change we risk that some codebases will mistakenly remain vulnerable even while using a patched version of the library.

Patch

File delta

Description

0001 Avoid non recoverable panic in test.patch | (download)

helpers_test.go | 8 6 + 2 - 0 !
1 file changed, 6 insertions(+), 2 deletions(-)

 avoid non-recoverable panic in test

Since go 1.24 crypto/rand throws a non-recoverable fatal error when it
fails to read random data, so this test needs to be disabled.
See https://go.dev/issue/66821

CVE 2025 24358.patch | (download)

csrf.go | 89 75 + 14 - 0 !
csrf_test.go | 325 224 + 101 - 0 !
helpers_test.go | 24 8 + 16 - 0 !
3 files changed, 307 insertions(+), 131 deletions(-)

 merge commit from fork

* csrf: use context to determine TLS state

r.URL.Scheme is never populated for "server" requests, and so the
referer check never runs.

Instead we now ask the caller application to signal this explicitly via
request conext, and then enforce the check accordingly.

Separately, browsers do not always send the full URL as a Referer,
especially in the same-origin context meaning we cannot compare its host
against our trusted origin list. If the referer does not contain a host
we populate r.URL.Host with r.Host which is expected to be sent by all
clients as the first header of their request.

Add tests against the Origin header before attempting to enforce
same-origin restrictions using the Referer header.

Matching the Django CSRF behavior: if the Origin is present in either
the cleartext or TLS case we will evaluate it.

IFF we are in TLS and we have no Origin we will evaluate the Referer
against the allowlist. In doing so we take care to permit "path only"
Referers that are sent in same-origin context.

* add csrf.TLSRequest helper API to set request TLS context

Add a csrf.TLSRequest public API method that sets the appropriate TLS
context key and signals to the midldeware the need to run the
additiontal Referer checks.

* Enable Referer-based origin checks by default

Reverse the default position and presume that that the server is using
TLS either directly or via an upstream proxy and require the user to
explicitly disable referer-based checks.

This safe default means that users that upgrade the library without
making any other code changes will benefit from the Referer checks that
they thought were active already. Without this change we risk that some
codebases will mistakenly remain vulnerable even while using a patched
version of the library.