e01a181eda
Use hookgen for simple_forum_check_pre_perms. Optimise panelUserCheck()'s addPreScript() Reduce allocs slightly for PreRoute() host IP setting. Reorder error check in NoSessionMismatch() for faster failure. Reorder error check in NoUploadSessionMismatch() for faster failure. Reduce boilerplate.
571 lines
17 KiB
Go
571 lines
17 KiB
Go
package common
|
|
|
|
import (
|
|
"crypto/subtle"
|
|
"html"
|
|
"io"
|
|
"net"
|
|
"net/http"
|
|
"os"
|
|
"regexp"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/Azareal/Gosora/common/phrases"
|
|
"github.com/Azareal/Gosora/uutils"
|
|
)
|
|
|
|
// nolint
|
|
var PreRoute func(http.ResponseWriter, *http.Request) (User, bool) = preRoute
|
|
|
|
// TODO: Come up with a better middleware solution
|
|
// nolint We need these types so people can tell what they are without scrolling to the bottom of the file
|
|
var PanelUserCheck func(http.ResponseWriter, *http.Request, *User) (*Header, PanelStats, RouteError) = panelUserCheck
|
|
var SimplePanelUserCheck func(http.ResponseWriter, *http.Request, *User) (*HeaderLite, RouteError) = simplePanelUserCheck
|
|
var SimpleForumUserCheck func(w http.ResponseWriter, r *http.Request, u *User, fid int) (headerLite *HeaderLite, err RouteError) = simpleForumUserCheck
|
|
var ForumUserCheck func(h *Header, w http.ResponseWriter, r *http.Request, u *User, fid int) (err RouteError) = forumUserCheck
|
|
var SimpleUserCheck func(w http.ResponseWriter, r *http.Request, u *User) (headerLite *HeaderLite, err RouteError) = simpleUserCheck
|
|
var UserCheck func(w http.ResponseWriter, r *http.Request, u *User) (h *Header, err RouteError) = userCheck
|
|
var UserCheckNano func(w http.ResponseWriter, r *http.Request, u *User, nano int64) (h *Header, err RouteError) = userCheck2
|
|
|
|
func simpleForumUserCheck(w http.ResponseWriter, r *http.Request, u *User, fid int) (h *HeaderLite, rerr RouteError) {
|
|
h, rerr = SimpleUserCheck(w, r, u)
|
|
if rerr != nil {
|
|
return h, rerr
|
|
}
|
|
if !Forums.Exists(fid) {
|
|
return nil, PreError("The target forum doesn't exist.", w, r)
|
|
}
|
|
|
|
// Is there a better way of doing the skip AND the success flag on this hook like multiple returns?
|
|
/*skip, rerr := h.Hooks.VhookSkippable("simple_forum_check_pre_perms", w, r, u, &fid, h)
|
|
if skip || rerr != nil {
|
|
return h, rerr
|
|
}*/
|
|
skip, rerr := H_simple_forum_check_pre_perms_hook(h.Hooks, w, r, u, &fid, h)
|
|
if skip || rerr != nil {
|
|
return h, rerr
|
|
}
|
|
|
|
fp, err := FPStore.Get(fid, u.Group)
|
|
if err == ErrNoRows {
|
|
fp = BlankForumPerms()
|
|
} else if err != nil {
|
|
return h, InternalError(err, w, r)
|
|
}
|
|
cascadeForumPerms(fp, u)
|
|
return h, nil
|
|
}
|
|
|
|
func forumUserCheck(h *Header, w http.ResponseWriter, r *http.Request, u *User, fid int) (rerr RouteError) {
|
|
if !Forums.Exists(fid) {
|
|
return NotFound(w, r, h)
|
|
}
|
|
|
|
/*skip, rerr := h.Hooks.VhookSkippable("forum_check_pre_perms", w, r, u, &fid, h)
|
|
if skip || rerr != nil {
|
|
return rerr
|
|
}*/
|
|
/*skip, rerr := VhookSkippableTest(h.Hooks, "forum_check_pre_perms", w, r, u, &fid, h)
|
|
if skip || rerr != nil {
|
|
return rerr
|
|
}*/
|
|
skip, rerr := H_forum_check_pre_perms_hook(h.Hooks, w, r, u, &fid, h)
|
|
if skip || rerr != nil {
|
|
return rerr
|
|
}
|
|
|
|
fp, err := FPStore.Get(fid, u.Group)
|
|
if err == ErrNoRows {
|
|
fp = BlankForumPerms()
|
|
} else if err != nil {
|
|
return InternalError(err, w, r)
|
|
}
|
|
cascadeForumPerms(fp, u)
|
|
h.CurrentUser = u // TODO: Use a pointer instead for CurrentUser, so we don't have to do this
|
|
return rerr
|
|
}
|
|
|
|
// TODO: Put this on the user instance? Do we really want forum specific logic in there? Maybe, a method which spits a new pointer with the same contents as user?
|
|
func cascadeForumPerms(fp *ForumPerms, u *User) {
|
|
if fp.Overrides && !u.IsSuperAdmin {
|
|
u.Perms.ViewTopic = fp.ViewTopic
|
|
u.Perms.LikeItem = fp.LikeItem
|
|
u.Perms.CreateTopic = fp.CreateTopic
|
|
u.Perms.EditTopic = fp.EditTopic
|
|
u.Perms.DeleteTopic = fp.DeleteTopic
|
|
u.Perms.CreateReply = fp.CreateReply
|
|
u.Perms.EditReply = fp.EditReply
|
|
u.Perms.DeleteReply = fp.DeleteReply
|
|
u.Perms.PinTopic = fp.PinTopic
|
|
u.Perms.CloseTopic = fp.CloseTopic
|
|
u.Perms.MoveTopic = fp.MoveTopic
|
|
|
|
if len(fp.ExtData) != 0 {
|
|
for name, perm := range fp.ExtData {
|
|
u.PluginPerms[name] = perm
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// Even if they have the right permissions, the control panel is only open to supermods+. There are many areas without subpermissions which assume that the current user is a supermod+ and admins are extremely unlikely to give these permissions to someone who isn't at-least a supermod to begin with
|
|
// TODO: Do a panel specific theme?
|
|
func panelUserCheck(w http.ResponseWriter, r *http.Request, u *User) (h *Header, stats PanelStats, rerr RouteError) {
|
|
theme := GetThemeByReq(r)
|
|
h = &Header{
|
|
Site: Site,
|
|
Settings: SettingBox.Load().(SettingMap),
|
|
//Themes: Themes,
|
|
ThemesSlice: ThemesSlice,
|
|
Theme: theme,
|
|
CurrentUser: u,
|
|
Hooks: GetHookTable(),
|
|
Zone: "panel",
|
|
Writer: w,
|
|
IsoCode: phrases.GetLangPack().IsoCode,
|
|
//StartedAt: time.Now(),
|
|
StartedAt: uutils.Nanotime(),
|
|
}
|
|
// TODO: We should probably initialise header.ExtData
|
|
// ? - Should we only show this in debug mode? It might be useful for detecting issues in production, if we show it there as-well
|
|
//if user.IsAdmin {
|
|
//h.StartedAt = time.Now()
|
|
//}
|
|
|
|
h.AddSheet(theme.Name + "/main.css")
|
|
h.AddSheet(theme.Name + "/panel.css")
|
|
if len(theme.Resources) > 0 {
|
|
rlist := theme.Resources
|
|
for _, res := range rlist {
|
|
if res.LocID == LocGlobal || res.LocID == LocPanel {
|
|
if res.Type == ResTypeSheet {
|
|
h.AddSheet(res.Name)
|
|
} else if res.Type == ResTypeScript {
|
|
if res.Async {
|
|
h.AddScriptAsync(res.Name)
|
|
} else {
|
|
h.AddScript(res.Name)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
//h := w.Header()
|
|
//h.Set("Content-Security-Policy", "default-src 'self'")
|
|
|
|
// TODO: GDPR. Add a global control panel notice warning the admins of staff members who don't have 2FA enabled
|
|
stats.Users = Users.Count()
|
|
stats.Groups = Groups.Count()
|
|
stats.Forums = Forums.Count()
|
|
stats.Pages = Pages.Count()
|
|
stats.Settings = len(h.Settings)
|
|
stats.WordFilters = WordFilters.EstCount()
|
|
stats.Themes = len(Themes)
|
|
stats.Reports = 0 // TODO: Do the report count. Only show open threads?
|
|
|
|
addPreScript := func(name string, i int) {
|
|
// TODO: Optimise this by removing a superfluous string alloc
|
|
if theme.OverridenMap != nil {
|
|
//fmt.Printf("name %+v\n", name)
|
|
//fmt.Printf("theme.OverridenMap %+v\n", theme.OverridenMap)
|
|
if _, ok := theme.OverridenMap[name]; ok {
|
|
tname := "_" + theme.Name
|
|
//fmt.Printf("tname %+v\n", tname)
|
|
h.AddPreScriptAsync("tmpl_" + name + tname + ".js")
|
|
return
|
|
}
|
|
}
|
|
//fmt.Printf("tname %+v\n", tname)
|
|
h.AddPreScriptAsync(ucstrs[i])
|
|
}
|
|
addPreScript("alert", 3)
|
|
addPreScript("notice", 4)
|
|
|
|
return h, stats, nil
|
|
}
|
|
|
|
func simplePanelUserCheck(w http.ResponseWriter, r *http.Request, u *User) (lite *HeaderLite, rerr RouteError) {
|
|
return SimpleUserCheck(w, r, u)
|
|
}
|
|
|
|
// SimpleUserCheck is back from the grave, yay :D
|
|
func simpleUserCheck(w http.ResponseWriter, r *http.Request, u *User) (lite *HeaderLite, rerr RouteError) {
|
|
return &HeaderLite{
|
|
Site: Site,
|
|
Settings: SettingBox.Load().(SettingMap),
|
|
Hooks: GetHookTable(),
|
|
}, nil
|
|
}
|
|
|
|
func GetThemeByReq(r *http.Request) *Theme {
|
|
theme := &Theme{Name: ""}
|
|
cookie, e := r.Cookie("current_theme")
|
|
if e == nil {
|
|
inTheme, ok := Themes[html.EscapeString(cookie.Value)]
|
|
if ok && !theme.HideFromThemes {
|
|
theme = inTheme
|
|
}
|
|
}
|
|
if theme.Name == "" {
|
|
theme = Themes[DefaultThemeBox.Load().(string)]
|
|
}
|
|
return theme
|
|
}
|
|
|
|
func userCheck(w http.ResponseWriter, r *http.Request, u *User) (h *Header, rerr RouteError) {
|
|
return userCheck2(w, r, u, uutils.Nanotime())
|
|
}
|
|
|
|
// TODO: Add the ability for admins to restrict certain themes to certain groups?
|
|
// ! Be careful about firing errors off here as CustomError uses this
|
|
func userCheck2(w http.ResponseWriter, r *http.Request, u *User, nano int64) (h *Header, rerr RouteError) {
|
|
theme := GetThemeByReq(r)
|
|
h = &Header{
|
|
Site: Site,
|
|
Settings: SettingBox.Load().(SettingMap),
|
|
//Themes: Themes,
|
|
ThemesSlice: ThemesSlice,
|
|
Theme: theme,
|
|
CurrentUser: u, // ! Some things rely on this being a pointer downstream from this function
|
|
Hooks: GetHookTable(),
|
|
Zone: ucstrs[0],
|
|
Writer: w,
|
|
IsoCode: phrases.GetLangPack().IsoCode,
|
|
StartedAt: nano,
|
|
}
|
|
// TODO: Optimise this by avoiding accessing a map string index
|
|
if !u.Loggedin {
|
|
h.GoogSiteVerify = h.Settings["google_site_verify"].(string)
|
|
}
|
|
|
|
if u.IsBanned {
|
|
h.AddNotice("account_banned")
|
|
}
|
|
if u.Loggedin && !u.Active {
|
|
h.AddNotice("account_inactive")
|
|
}
|
|
/*h.Scripts, _ = StrSlicePool.Get().([]string)
|
|
if h.Scripts != nil {
|
|
h.Scripts = h.Scripts[:0]
|
|
}
|
|
h.PreScriptsAsync, _ = StrSlicePool.Get().([]string)
|
|
if h.PreScriptsAsync != nil {
|
|
h.PreScriptsAsync = h.PreScriptsAsync[:0]
|
|
}*/
|
|
|
|
// An optimisation so we don't populate StartedAt for users who shouldn't see the stat anyway
|
|
// ? - Should we only show this in debug mode? It might be useful for detecting issues in production, if we show it there as-well
|
|
//if u.IsAdmin {
|
|
//h.StartedAt = time.Now()
|
|
//}
|
|
|
|
//PrepResources(u,h,theme)
|
|
return h, nil
|
|
}
|
|
|
|
func PrepResources(u *User, h *Header, theme *Theme) {
|
|
h.AddSheet(theme.Name + "/main.css")
|
|
|
|
if len(theme.Resources) > 0 {
|
|
rlist := theme.Resources
|
|
for _, res := range rlist {
|
|
if res.Loggedin && !u.Loggedin {
|
|
continue
|
|
}
|
|
if res.LocID == LocGlobal || res.LocID == LocFront {
|
|
if res.Type == ResTypeSheet {
|
|
h.AddSheet(res.Name)
|
|
} else if res.Type == ResTypeScript {
|
|
if res.Async {
|
|
h.AddScriptAsync(res.Name)
|
|
} else {
|
|
h.AddScript(res.Name)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
addPreScript := func(name string, i int) {
|
|
// TODO: Optimise this by removing a superfluous string alloc
|
|
if theme.OverridenMap != nil {
|
|
//fmt.Printf("name %+v\n", name)
|
|
//fmt.Printf("theme.OverridenMap %+v\n", theme.OverridenMap)
|
|
if _, ok := theme.OverridenMap[name]; ok {
|
|
tname := "_" + theme.Name
|
|
//fmt.Printf("tname %+v\n", tname)
|
|
h.AddPreScriptAsync("tmpl_" + name + tname + ".js")
|
|
return
|
|
}
|
|
}
|
|
//fmt.Printf("tname %+v\n", tname)
|
|
h.AddPreScriptAsync(ucstrs[i])
|
|
}
|
|
addPreScript("topics_topic", 1)
|
|
addPreScript("paginator", 2)
|
|
addPreScript("alert", 3)
|
|
addPreScript("notice", 4)
|
|
if u.Loggedin {
|
|
addPreScript("topic_c_edit_post", 5)
|
|
addPreScript("topic_c_attach_item", 6)
|
|
addPreScript("topic_c_poll_input", 7)
|
|
}
|
|
}
|
|
|
|
func pstr(name string) string {
|
|
return "tmpl_" + name + ".js"
|
|
}
|
|
|
|
var ucstrs = [...]string{
|
|
"frontend",
|
|
|
|
pstr("topics_topic"),
|
|
pstr("paginator"),
|
|
pstr("alert"),
|
|
pstr("notice"),
|
|
|
|
pstr("topic_c_edit_post"),
|
|
pstr("topic_c_attach_item"),
|
|
pstr("topic_c_poll_input"),
|
|
}
|
|
|
|
func preRoute(w http.ResponseWriter, r *http.Request) (User, bool) {
|
|
userptr, halt := Auth.SessionCheck(w, r)
|
|
if halt {
|
|
return *userptr, false
|
|
}
|
|
var usercpy *User = BlankUser()
|
|
*usercpy = *userptr
|
|
usercpy.Init() // TODO: Can we reduce the amount of work we do here?
|
|
|
|
// TODO: Add a config setting to disable this header
|
|
// TODO: Have this header cover more things
|
|
if Config.SslSchema {
|
|
w.Header().Set("Content-Security-Policy", "upgrade-insecure-requests")
|
|
}
|
|
|
|
// TODO: WIP. Refactor this to eliminate the unnecessary query
|
|
// TODO: Better take proxies into consideration
|
|
if !Config.DisableIP {
|
|
var host string
|
|
// TODO: Prefer Cf-Connecting-Ip header, fewer shenanigans
|
|
if Site.HasProxy {
|
|
// TODO: Check the right-most IP, might get tricky with multiple proxies, maybe have a setting for the number of hops we jump through
|
|
xForwardedFor := r.Header.Get("X-Forwarded-For")
|
|
if xForwardedFor != "" {
|
|
forwardedFor := strings.Split(xForwardedFor, ",")
|
|
// TODO: Check if this is a valid IP Address, reject if not
|
|
host = forwardedFor[len(forwardedFor)-1]
|
|
}
|
|
}
|
|
|
|
if host == "" {
|
|
var e error
|
|
host, _, e = net.SplitHostPort(r.RemoteAddr)
|
|
if e != nil {
|
|
_ = PreError("Bad IP", w, r)
|
|
return *usercpy, false
|
|
}
|
|
}
|
|
|
|
if !Config.DisableLastIP && usercpy.Loggedin && host != usercpy.GetIP() {
|
|
mon := time.Now().Month()
|
|
e := usercpy.UpdateIP(strconv.Itoa(int(mon)) + "-" + host)
|
|
if e != nil {
|
|
_ = InternalError(e, w, r)
|
|
return *usercpy, false
|
|
}
|
|
}
|
|
usercpy.LastIP = host
|
|
}
|
|
|
|
return *usercpy, true
|
|
}
|
|
|
|
func UploadAvatar(w http.ResponseWriter, r *http.Request, u *User, tuid int) (ext string, ferr RouteError) {
|
|
// We don't want multiple files
|
|
// TODO: Are we doing this correctly?
|
|
filenameMap := make(map[string]bool)
|
|
for _, fheaders := range r.MultipartForm.File {
|
|
for _, hdr := range fheaders {
|
|
if hdr.Filename == "" {
|
|
continue
|
|
}
|
|
filenameMap[hdr.Filename] = true
|
|
}
|
|
}
|
|
if len(filenameMap) > 1 {
|
|
return "", LocalError("You may only upload one avatar", w, r, u)
|
|
}
|
|
|
|
for _, fheaders := range r.MultipartForm.File {
|
|
for _, hdr := range fheaders {
|
|
if hdr.Filename == "" {
|
|
continue
|
|
}
|
|
inFile, err := hdr.Open()
|
|
if err != nil {
|
|
return "", LocalError("Upload failed", w, r, u)
|
|
}
|
|
defer inFile.Close()
|
|
|
|
if ext == "" {
|
|
extarr := strings.Split(hdr.Filename, ".")
|
|
if len(extarr) < 2 {
|
|
return "", LocalError("Bad file", w, r, u)
|
|
}
|
|
ext = extarr[len(extarr)-1]
|
|
|
|
// TODO: Can we do this without a regex?
|
|
reg, err := regexp.Compile("[^A-Za-z0-9]+")
|
|
if err != nil {
|
|
return "", LocalError("Bad file extension", w, r, u)
|
|
}
|
|
ext = reg.ReplaceAllString(ext, "")
|
|
ext = strings.ToLower(ext)
|
|
|
|
if !ImageFileExts.Contains(ext) {
|
|
return "", LocalError("You can only use an image for your avatar", w, r, u)
|
|
}
|
|
}
|
|
|
|
// TODO: Centralise this string, so we don't have to change it in two different places when it changes
|
|
outFile, err := os.Create("./uploads/avatar_" + strconv.Itoa(tuid) + "." + ext)
|
|
if err != nil {
|
|
return "", LocalError("Upload failed [File Creation Failed]", w, r, u)
|
|
}
|
|
defer outFile.Close()
|
|
|
|
_, err = io.Copy(outFile, inFile)
|
|
if err != nil {
|
|
return "", LocalError("Upload failed [Copy Failed]", w, r, u)
|
|
}
|
|
}
|
|
}
|
|
if ext == "" {
|
|
return "", LocalError("No file", w, r, u)
|
|
}
|
|
return ext, nil
|
|
}
|
|
|
|
func ChangeAvatar(path string, w http.ResponseWriter, r *http.Request, u *User) RouteError {
|
|
e := u.ChangeAvatar(path)
|
|
if e != nil {
|
|
return InternalError(e, w, r)
|
|
}
|
|
|
|
// Clean up the old avatar data, so we don't end up with too many dead files in /uploads/
|
|
if len(u.RawAvatar) > 2 {
|
|
if u.RawAvatar[0] == '.' && u.RawAvatar[1] == '.' {
|
|
e := os.Remove("./uploads/avatar_" + strconv.Itoa(u.ID) + "_tmp" + u.RawAvatar[1:])
|
|
if e != nil && !os.IsNotExist(e) {
|
|
LogWarning(e)
|
|
return LocalError("Something went wrong", w, r, u)
|
|
}
|
|
e = os.Remove("./uploads/avatar_" + strconv.Itoa(u.ID) + "_w48" + u.RawAvatar[1:])
|
|
if e != nil && !os.IsNotExist(e) {
|
|
LogWarning(e)
|
|
return LocalError("Something went wrong", w, r, u)
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// SuperAdminOnly makes sure that only super admin can access certain critical panel routes
|
|
func SuperAdminOnly(w http.ResponseWriter, r *http.Request, u *User) RouteError {
|
|
if !u.IsSuperAdmin {
|
|
return NoPermissions(w, r, u)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// AdminOnly makes sure that only admins can access certain panel routes
|
|
func AdminOnly(w http.ResponseWriter, r *http.Request, u *User) RouteError {
|
|
if !u.IsAdmin {
|
|
return NoPermissions(w, r, u)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// SuperModeOnly makes sure that only super mods or higher can access the panel routes
|
|
func SuperModOnly(w http.ResponseWriter, r *http.Request, u *User) RouteError {
|
|
if !u.IsSuperMod {
|
|
return NoPermissions(w, r, u)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// MemberOnly makes sure that only logged in users can access this route
|
|
func MemberOnly(w http.ResponseWriter, r *http.Request, u *User) RouteError {
|
|
if !u.Loggedin {
|
|
return LoginRequired(w, r, u)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// NoBanned stops any banned users from accessing this route
|
|
func NoBanned(w http.ResponseWriter, r *http.Request, u *User) RouteError {
|
|
if u.IsBanned {
|
|
return Banned(w, r, u)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func ParseForm(w http.ResponseWriter, r *http.Request, u *User) RouteError {
|
|
if e := r.ParseForm(); e != nil {
|
|
return LocalError("Bad Form", w, r, u)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func NoSessionMismatch(w http.ResponseWriter, r *http.Request, u *User) RouteError {
|
|
if e := r.ParseForm(); e != nil {
|
|
return LocalError("Bad Form", w, r, u)
|
|
}
|
|
if len(u.Session) == 0 {
|
|
return SecurityError(w, r, u)
|
|
}
|
|
// TODO: Try to eliminate some of these allocations
|
|
sess := []byte(u.Session)
|
|
if subtle.ConstantTimeCompare([]byte(r.FormValue("session")), sess) != 1 && subtle.ConstantTimeCompare([]byte(r.FormValue("s")), sess) != 1 {
|
|
return SecurityError(w, r, u)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func ReqIsJson(r *http.Request) bool {
|
|
return r.Header.Get("Content-type") == "application/json"
|
|
}
|
|
|
|
func HandleUploadRoute(w http.ResponseWriter, r *http.Request, u *User, maxFileSize int) RouteError {
|
|
// TODO: Reuse this code more
|
|
if r.ContentLength > int64(maxFileSize) {
|
|
size, unit := ConvertByteUnit(float64(maxFileSize))
|
|
return CustomError("Your upload is too big. Your files need to be smaller than "+strconv.Itoa(int(size))+unit+".", http.StatusExpectationFailed, "Error", w, r, nil, u)
|
|
}
|
|
r.Body = http.MaxBytesReader(w, r.Body, r.ContentLength)
|
|
|
|
e := r.ParseMultipartForm(int64(Megabyte))
|
|
if e != nil {
|
|
return LocalError("Bad Form", w, r, u)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func NoUploadSessionMismatch(w http.ResponseWriter, r *http.Request, u *User) RouteError {
|
|
if len(u.Session) == 0 {
|
|
return SecurityError(w, r, u)
|
|
}
|
|
// TODO: Try to eliminate some of these allocations
|
|
sess := []byte(u.Session)
|
|
if subtle.ConstantTimeCompare([]byte(r.FormValue("session")), sess) != 1 && subtle.ConstantTimeCompare([]byte(r.FormValue("s")), sess) != 1 {
|
|
return SecurityError(w, r, u)
|
|
}
|
|
return nil
|
|
}
|