Disable CSRF token check for HTTP git pull

Git pull uses a POST request, which is treated as a write request and the CSRF
token is checked. However, no modification to the server is made by git pulls,
as far as I know (actually I'm not sure why it uses a POST). The entire
response is handled by the git command, and the client side is usually the git
command running in the terminal, there's no session and no cookies (as far as I
know). So I'm just disabling CSRF token checking for this route.
This commit is contained in:
fr33domlover 2018-07-01 15:04:33 +00:00
parent c420b8d8ea
commit a1d0b8402e

View file

@ -109,10 +109,21 @@ instance Yesod App where
-- a) Sets a cookie with a CSRF token in it. -- a) Sets a cookie with a CSRF token in it.
-- b) Validates that incoming write requests include that token in either a header or POST parameter. -- b) Validates that incoming write requests include that token in either a header or POST parameter.
-- For details, see the CSRF documentation in the Yesod.Core.Handler module of the yesod-core package. -- For details, see the CSRF documentation in the Yesod.Core.Handler module of the yesod-core package.
yesodMiddleware = yesodMiddleware
defaultCsrfMiddleware .
-- sslOnlyMiddleware 120 . -- sslOnlyMiddleware 120 .
defaultYesodMiddleware = defaultCsrfSetCookieMiddleware
. (\ handler ->
csrfCheckMiddleware
handler
(getCurrentRoute >>= \ mr -> case mr of
Nothing -> return False
Just (GitUploadRequestR _ _) -> return False
Just r -> isWriteRequest r
)
defaultCsrfHeaderName
defaultCsrfParamName
)
. defaultYesodMiddleware
defaultLayout widget = do defaultLayout widget = do
master <- getYesod master <- getYesod