Backport #29205 (including #29172) Use a clearly defined "signing secret" for token signing.
This commit is contained in:
wxiaoguang
GitHub
parent
7ea2ffaf16
commit
511298e452
13 changed files with 130 additions and 70 deletions
|
|
@ -6,6 +6,7 @@ package context
|
|||
|
||||
import (
|
||||
"context"
|
||||
"encoding/hex"
|
||||
"html"
|
||||
"html/template"
|
||||
"io"
|
||||
|
|
@ -134,7 +135,7 @@ func NewWebContext(base *Base, render Render, session session.Store) *Context {
|
|||
func Contexter() func(next http.Handler) http.Handler {
|
||||
rnd := templates.HTMLRenderer()
|
||||
csrfOpts := CsrfOptions{
|
||||
Secret: setting.SecretKey,
|
||||
Secret: hex.EncodeToString(setting.GetGeneralTokenSigningSecret()),
|
||||
Cookie: setting.CSRFCookieName,
|
||||
SetCookie: true,
|
||||
Secure: setting.SessionConfig.Secure,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue