The current clean() replaces : with _ (colons are internally used as
separators).
This produce can produce same output for different inputs, for example
the user _foo_ can obtain valid tokens for user :foo:.
This CL replace colons with double colons instead of replacing them
with underscores.
Fixesgolang/go#34308
Change-Id: I3e4148a0836e62fda1a5f0ba32b375121368afd3
Reviewed-on: https://go-review.googlesource.com/c/net/+/196457
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Passing a zero length key (or secret) gives no safety against XSRF
attacks. This is a relatively easy mistake to make, e.g. by passing
`make([]byte, 0, 1024)` to `rand.Read` instead of `make([]byte, 1024)`,
and currently fails open, silently.
This uses panic, as the API does not allow returning a structured error,
and catching this programming error is not worth breaking API
compatibility. Passing a zero length secret is also not an error
condition that API callers would handle, so there is little value in
returning a proper error.
Change-Id: Ib6457347675872188d51d2a220eee4b67900f79e
Reviewed-on: https://go-review.googlesource.com/42411
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Go policy has been single space after periods in comments for some time.
The copyright header template at:
https://golang.org/doc/contribute.html#copyright
also uses a single space.
Make them all consistent.
This CL was generated with:
perl -i -npe 's,^(// Copyright [0-9]+ The Go Authors\.) (All rights reserved\.)$,$1 $2,' $(git grep -l -E '^// Copyright [0-9]+ The Go Authors\. All rights reserved\.$')
Follows https://golang.org/cl/20111.
Change-Id: I66671dddf821f5dc027bc254e0196b3e3a2bdf3b
Reviewed-on: https://go-review.googlesource.com/32878
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This changes the behaviour of the XSRF tokens slightly:
- timestamps are rounded up to the nearest ms (not ns)
- the timestamp is appended to the taken after base64 encoding
Change-Id: Iaa32bd055bd76db77ef47f07b975e75c5ecaadf0
Reviewed-on: https://go-review.googlesource.com/17664
Reviewed-by: David Symonds <dsymonds@golang.org>
