Disable CSRF token check for HTTP git pull
Git pull uses a POST request, which is treated as a write request and the CSRF token is checked. However, no modification to the server is made by git pulls, as far as I know (actually I'm not sure why it uses a POST). The entire response is handled by the git command, and the client side is usually the git command running in the terminal, there's no session and no cookies (as far as I know). So I'm just disabling CSRF token checking for this route.
This commit is contained in:
parent
c420b8d8ea
commit
a1d0b8402e
1 changed files with 14 additions and 3 deletions
|
@ -109,10 +109,21 @@ instance Yesod App where
|
|||
-- a) Sets a cookie with a CSRF token in it.
|
||||
-- b) Validates that incoming write requests include that token in either a header or POST parameter.
|
||||
-- For details, see the CSRF documentation in the Yesod.Core.Handler module of the yesod-core package.
|
||||
yesodMiddleware =
|
||||
defaultCsrfMiddleware .
|
||||
yesodMiddleware
|
||||
-- sslOnlyMiddleware 120 .
|
||||
defaultYesodMiddleware
|
||||
= defaultCsrfSetCookieMiddleware
|
||||
. (\ handler ->
|
||||
csrfCheckMiddleware
|
||||
handler
|
||||
(getCurrentRoute >>= \ mr -> case mr of
|
||||
Nothing -> return False
|
||||
Just (GitUploadRequestR _ _) -> return False
|
||||
Just r -> isWriteRequest r
|
||||
)
|
||||
defaultCsrfHeaderName
|
||||
defaultCsrfParamName
|
||||
)
|
||||
. defaultYesodMiddleware
|
||||
|
||||
defaultLayout widget = do
|
||||
master <- getYesod
|
||||
|
|
Loading…
Reference in a new issue