summaryrefslogtreecommitdiffhomepage
path: root/control/controlhttp/controlhttpserver
diff options
context:
space:
mode:
authorBrad Fitzpatrick <bradfitz@tailscale.com>2025-01-29 20:44:01 +0000
committerGitHub <noreply@github.com>2025-01-29 12:44:01 -0800
commit8bd04bdd3a6ceca64dfd04b49035cc16cbe2b2e1 (patch)
tree7fdff0af8715fd9ddcf60fd6d762ee3838f17c8b /control/controlhttp/controlhttpserver
parentb60f6b849af1fae1cf343be98f7fb1714c9ea165 (diff)
downloadtailscale-8bd04bdd3a6ceca64dfd04b49035cc16cbe2b2e1.tar.xz
tailscale-8bd04bdd3a6ceca64dfd04b49035cc16cbe2b2e1.zip
go.mod: bump gorilla/csrf for security fix (#14822)
For https://github.com/gorilla/csrf/commit/9dd6af1f6d30fc79fb0d972394deebdabad6b5eb Update client/web and safeweb to correctly signal to the csrf middleware whether the request is being served over TLS. This determines whether Origin and Referer header checks are strictly enforced. The gorilla library previously did not enforce these checks due to a logic bug based on erroneous use of the net/http.Request API. The patch to fix this also inverts the library behavior to presume that every request is being served over TLS, necessitating these changes. Updates tailscale/corp#25340 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com> Co-authored-by: Patrick O'Doherty <patrick@tailscale.com>
Diffstat (limited to 'control/controlhttp/controlhttpserver')
0 files changed, 0 insertions, 0 deletions