upstream/mattermost
1
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2026-02-03 20:40:00 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

harden CSRF check on deprecated acitvate policy API

Browse source
This commit is contained in:
Ibrahim Serdar Acikgoz 2026-02-03 12:11:59 +01:00
parent 1ce45b59ba
commit 9f428fa218
2 changed files with 10 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
server/channels/api4/access_control.go
View file

@ -11,6 +11,7 @@ import (
"github.com/mattermost/mattermost/server/public/model"
"github.com/mattermost/mattermost/server/public/shared/mlog"
"github.com/mattermost/mattermost/server/v8/channels/app"
)
func (api *API) InitAccessControlPolicy() {
@ -392,9 +393,11 @@ func updateActiveStatus(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
// CSRF barrier: only allow header-based auth (reject cookie-only sessions)
if r.Header.Get(model.HeaderAuth) == "" {
c.SetInvalidParam("Authorization")
// CSRF barrier: only allow header-based auth (reject cookie sessions)
token, tokenLocation := app.ParseAuthTokenFromRequest(r)
if token == "" || tokenLocation == app.TokenLocationCookie {
c.Err = model.NewAppError("updateActiveStatus", "api.context.session_cookie_not_allowed.app_error", nil,
"This endpoint requires header-based authentication", http.StatusUnauthorized)
return
}

4
server/i18n/en.json
View file

@ -1917,6 +1917,10 @@
"id": "api.context.session_expired.app_error",
"translation": "Invalid or expired session, please login again."
},
{
"id": "api.context.session_cookie_not_allowed.app_error",
"translation": "Cookie-based authentication is not allowed for this endpoint. Please use header-based authentication."
},
{
"id": "api.context.token_provided.app_error",
"translation": "Session is not OAuth but token was provided in the query string."