CSRF Failing due to Context.Request().URL not containing host #64
Comments
Thelvaen
changed the title
|
Note : I tried running it on my Windows 10 computer, and accessing it from other devices, and the issue is still the same. |
|
further test seems to pinpoint the issue with the "net/http" package package main
import (
"fmt"
"net/http"
)
func hello(w http.ResponseWriter, req *http.Request) {
fmt.Printf("request from : %s\n", req.RemoteAddr)
status := ""
if req.TLS == nil {
status = "not used"
} else {
status = "used"
}
fmt.Printf("TLS Status : %s\n", status)
fmt.Print("req.URL.Host : ")
fmt.Println(req.URL.Host)
fmt.Print("req.URL.Rawquery : ")
fmt.Println(req.URL.RawQuery)
}
func main() {
http.HandleFunc("/hello", hello)
go http.ListenAndServe("192.168.0.20:8080", nil)
http.ListenAndServeTLS("192.168.0.20:8090", "fullchain.pem", "privkey.pem", nil)
}and accessing the pages from a other device on my network: |
|
Note : I found that they had an old issue : golang/go#3805 for this on net/http, and yeah, they don't fill the request.URL parts, so I will try to provide a merge request fixing the behavior later today |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Hello,
After playing with CSRF & HTTPS, it seems that Context.Request().URL is not correctly filled, hence failing the referrer check at that line:
To Reproduce
Steps to reproduce the behavior:
Expected behavior
We should get part of the URL depending on below schema:
scheme://host.domain:port/path/to/request
actually we're only getting the path part
/path/to/request
Screenshots
see attached screenshot if it helps
ctx.Request().URL showing the path
trying to query ctx.Request().URL.Host
Desktop (please complete the following information):
iris.Version
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: