From 5cdc0a39ac1454311a3dc9cd0a8ecc38e242fdcb Mon Sep 17 00:00:00 2001 From: Maximilian Tagher Date: Fri, 29 Dec 2017 23:44:08 -0500 Subject: [PATCH 1/3] Document whitelisting certain routes to not need CSRF protection This question came up on the #yesod Slack channel and I think it's moderately common; I've seen it elsewhere. --- yesod-core/Yesod/Core/Handler.hs | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/yesod-core/Yesod/Core/Handler.hs b/yesod-core/Yesod/Core/Handler.hs index 9a340803..e43ac25e 100644 --- a/yesod-core/Yesod/Core/Handler.hs +++ b/yesod-core/Yesod/Core/Handler.hs @@ -1464,6 +1464,23 @@ stripHandlerT (HandlerT f) getSub toMaster newRoute = HandlerT $ \hd -> do -- The form-based approach has the advantage of working for users with Javascript disabled, while adding the token to the headers with Javascript allows things like submitting JSON or binary data in AJAX requests. Yesod supports checking for a CSRF token in either the POST parameters of the form ('checkCsrfParamNamed'), the headers ('checkCsrfHeaderNamed'), or both options ('checkCsrfHeaderOrParam'). -- -- The easiest way to check both sources is to add the 'Yesod.Core.defaultCsrfMiddleware' to your Yesod Middleware. +-- +-- === Opting-out of CSRF checking for specific routes +-- +-- (Note: this code is generic to opting out of any Yesod middleware) +-- +-- @ +-- 'yesodMiddleware' app = do +-- maybeRoute <- 'getCurrentRoute' +-- let dontCheckCsrf = case maybeRoute of +-- Just HomeR -> True -- Don't check HomeR +-- Nothing -> True -- Don't check for 404s +-- _ -> False -- Check other routes +-- +-- 'defaultYesodMiddleware' $ 'defaultCsrfSetCookieMiddleware' $ (if dontCheckCsrf then 'id' else 'defaultCsrfCheckMiddleware') $ app +-- @ +-- +-- This can also be implemented using the 'csrfCheckMiddleware' function. -- | The default cookie name for the CSRF token ("XSRF-TOKEN"). -- From 7f6f1821e825281e8187c3d3cc06d469bf13c101 Mon Sep 17 00:00:00 2001 From: Janek Spaderna Date: Thu, 18 Jan 2018 12:00:46 +0100 Subject: [PATCH 2/3] [yesod] Fix comment for contentTypeTypes & simpler implementation In the implementation of contentTypeTypes make use of simpleContentType. --- yesod-core/Yesod/Core/Content.hs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/yesod-core/Yesod/Core/Content.hs b/yesod-core/Yesod/Core/Content.hs index 1313a1ea..0695cd50 100644 --- a/yesod-core/Yesod/Core/Content.hs +++ b/yesod-core/Yesod/Core/Content.hs @@ -78,6 +78,7 @@ import Yesod.Core.Types import Text.Lucius (Css, renderCss) import Text.Julius (Javascript, unJavascript) import Data.Word8 (_semicolon, _slash) +import Control.Arrow (second) -- | Zero-length enumerator. emptyContent :: Content @@ -228,13 +229,13 @@ typeOctet = "application/octet-stream" simpleContentType :: ContentType -> ContentType simpleContentType = fst . B.break (== _semicolon) --- Give just the media types as a pair. +-- | Give just the media types as a pair. +-- -- For example, \"text/html; charset=utf-8\" returns ("text", "html") contentTypeTypes :: ContentType -> (B.ByteString, B.ByteString) -contentTypeTypes ct = (main, fst $ B.break (== _semicolon) (tailEmpty sub)) +contentTypeTypes = second tailEmpty . B.break (== _slash) . simpleContentType where tailEmpty x = if B.null x then "" else B.tail x - (main, sub) = B.break (== _slash) ct instance HasContentType a => HasContentType (DontFullyEvaluate a) where getContentType = getContentType . liftM unDontFullyEvaluate From 492102537fdc2057b8865776a2ff55af344d366a Mon Sep 17 00:00:00 2001 From: Janek Spaderna Date: Thu, 18 Jan 2018 12:11:43 +0100 Subject: [PATCH 3/3] [yesod] Bump version & add changelog entry --- yesod-core/ChangeLog.md | 4 ++++ yesod-core/yesod-core.cabal | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/yesod-core/ChangeLog.md b/yesod-core/ChangeLog.md index 43266e77..cef7c582 100644 --- a/yesod-core/ChangeLog.md +++ b/yesod-core/ChangeLog.md @@ -1,3 +1,7 @@ +## 1.4.37.3 + +* Fix Haddock comment & simplify implementation for `contentTypeTypes` [#1476](https://github.com/yesodweb/yesod/issues/1476) + ## 1.4.37.2 * Improve error messages for the CSRF checking functions [#1455](https://github.com/yesodweb/yesod/issues/1455) diff --git a/yesod-core/yesod-core.cabal b/yesod-core/yesod-core.cabal index c1d6f8a8..c808eab0 100644 --- a/yesod-core/yesod-core.cabal +++ b/yesod-core/yesod-core.cabal @@ -1,5 +1,5 @@ name: yesod-core -version: 1.4.37.2 +version: 1.4.37.3 license: MIT license-file: LICENSE author: Michael Snoyman