go.mod: bump gorilla/csrf for security fix (#14822)

For 9dd6af1f6d Update client/web and safeweb to correctly signal to the csrf middleware whether the request is being served over TLS. This determines whether Origin and Referer header checks are strictly enforced. The gorilla library previously did not enforce these checks due to a logic bug based on erroneous use of the net/http.Request API. The patch to fix this also inverts the library behavior to presume that every request is being served over TLS, necessitating these changes. Updates tailscale/corp#25340 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com> Co-authored-by: Patrick O'Doherty <patrick@tailscale.com>
2025-08-11 13:18:53 +00:00 · 2025-01-29 20:44:01 +00:00
parent b60f6b849a
commit 8bd04bdd3a
4 changed files with 22 additions and 6 deletions
--- a/safeweb/http.go
+++ b/safeweb/http.go
@@ -318,6 +318,12 @@ func checkHandlerType(apiPattern, browserPattern string) handlerType {
 }

 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	// if we are not in a secure context, signal to the CSRF middleware that
+	// TLS-only header checks should be skipped
+	if !s.Config.SecureContext {
+		r = csrf.PlaintextHTTPRequest(r)
+	}
+
 	_, bp := s.BrowserMux.Handler(r)
 	_, ap := s.APIMux.Handler(r)
 	switch {