Migrate away from gorilla/csrf

Author: csmith

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 5.1.0 - 2025-12-01
+
+* Migrate away from `gorilla/csrf` for CSRF protection
+* Minimum version of Go for building is now 1.25
+
 ## 5.0.6 - 2025-05-09
 
 _No code changes, just changes to the release process._

README.md

@@ -75,7 +75,7 @@ variables. The following configuration options are supported:
 
 ### Encryption key
 
-In order to persist runtime settings (user accounts, session keys, CSRF tokens),
+In order to persist runtime settings (user accounts, session keys),
 you must provide an encryption key either as a CLI argument (`-key`) or
 an environment variable (`KEY`). The key should be 32 bytes and
 hex-encoded; you can generate such a key using `openssl rand -hex 32`.

config/secrets.go

@@ -9,7 +9,6 @@ const secretsSettingsName = "secrets"
 
 type Secrets struct {
 	SessionKey []byte
-	CsrfKey    []byte
 }
 
 func LoadSecrets(store Store) (*Secrets, error) {
@@ -29,15 +28,6 @@ func LoadSecrets(store Store) (*Secrets, error) {
 		dirty = true
 	}
 
-	if s.CsrfKey == nil || len(s.CsrfKey) < 32 {
-		newKey := make([]byte, 32)
-		if _, err := io.ReadFull(rand.Reader, newKey); err != nil {
-			return nil, err
-		}
-		s.CsrfKey = newKey
-		dirty = true
-	}
-
 	if dirty {
 		_ = store.PutSettings(secretsSettingsName, "System", "Initialising secrets", s)
 	}

go.mod

@@ -5,7 +5,6 @@ go 1.25
 require (
 	github.com/evanw/esbuild v0.27.0
 	github.com/go-git/go-git/v5 v5.16.4
-	github.com/gorilla/csrf v1.7.3
 	github.com/gorilla/handlers v1.5.2
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/sessions v1.4.0

handlers_api.go

@@ -15,6 +15,12 @@ func ApiListHandler(l Lister) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var res []string
 
+		if err := r.ParseForm(); err != nil {
+			log.Printf("Error parsing form: %v", err)
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
 		if r.FormValue("type") == "file" {
 			files, err := l.ListFiles()
 			if err != nil {

handlers_file.go

@@ -2,13 +2,14 @@ package main
 
 import (
 	"fmt"
-	"github.com/mdbot/wiki/markdown"
 	"io"
 	"log"
 	"mime"
 	"net/http"
 	"path/filepath"
 	"strings"
+
+	"github.com/mdbot/wiki/markdown"
 )
 
 type FileLister interface {
@@ -115,6 +116,12 @@ func DeleteFileConfirmHandler(t *Templates) http.HandlerFunc {
 
 func DeleteFileHandler(provider DeleteFileProvider) http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
+		if err := request.ParseForm(); err != nil {
+			log.Printf("Error parsing form: %v", err)
+			writer.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
 		name := strings.TrimPrefix(request.URL.Path, "/files/delete/")
 		confirm := request.FormValue("confirm")
 		if confirm == "" {

handlers_history.go

@@ -121,6 +121,12 @@ type DiffProvider interface {
 
 func DiffPageHandler(templates *Templates, backend DiffProvider) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		if err := r.ParseForm(); err != nil {
+			log.Printf("Error parsing form: %v", err)
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		
 		pageTitle := strings.TrimPrefix(r.URL.Path, "/diff/")
 		startRevision := r.FormValue("startrev")
 		endRevision := r.FormValue("endrev")

handlers_page.go

@@ -24,6 +24,12 @@ func ViewPageHandler(t *Templates, renderer ContentRenderer, pp PageProvider) ht
 	return func(w http.ResponseWriter, r *http.Request) {
 		pageTitle := strings.TrimPrefix(r.URL.Path, "/view/")
 
+		if err := r.ParseForm(); err != nil {
+			log.Printf("Error parsing form: %v", err)
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
 		revision := r.FormValue("rev")
 		var page *Page
 		var err error
@@ -74,6 +80,12 @@ func SubmitPageHandler(pe PageEditor) http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		pageTitle := strings.TrimPrefix(request.URL.Path, "/edit/")
 
+		if err := request.ParseForm(); err != nil {
+			log.Printf("Error parsing form: %v", err)
+			writer.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
 		content := request.FormValue("content")
 		message := request.FormValue("message")
 		username := "Anonymoose"
@@ -105,6 +117,13 @@ func DeletePageConfirmHandler(t *Templates) http.HandlerFunc {
 func DeletePageHandler(provider DeletePageProvider) http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		name := strings.TrimPrefix(request.URL.Path, "/delete/")
+
+		if err := request.ParseForm(); err != nil {
+			log.Printf("Error parsing form: %v", err)
+			writer.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
 		confirm := request.FormValue("confirm")
 		if confirm == "" {
 			http.Redirect(writer, request, "/delete/"+name, http.StatusSeeOther)
@@ -142,6 +161,12 @@ func RenamePageConfirmHandler(backend PageExists, t *Templates) http.HandlerFunc
 
 func RenamePageHandler(provider RenamePageProvider) http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
+		if err := request.ParseForm(); err != nil {
+			log.Printf("Error parsing form: %v", err)
+			writer.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
 		name := strings.TrimPrefix(request.URL.Path, "/rename/")
 		newName := request.FormValue("newName")
 		if newName == "" {
@@ -168,6 +193,12 @@ type RevertPageProvider interface {
 
 func RevertPageConfirmHandler(t *Templates) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		if err := r.ParseForm(); err != nil {
+			log.Printf("Error parsing form: %v", err)
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
 		name := strings.TrimPrefix(r.URL.Path, "/revert/")
 		revision := r.FormValue("rev")
 		if revision == "" {
@@ -180,6 +211,12 @@ func RevertPageConfirmHandler(t *Templates) http.HandlerFunc {
 
 func RevertPageHandler(provider RevertPageProvider) http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
+		if err := request.ParseForm(); err != nil {
+			log.Printf("Error parsing form: %v", err)
+			writer.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
 		name := strings.TrimPrefix(request.URL.Path, "/revert/")
 		confirm := request.FormValue("confirm")
 		if confirm == "" {

handlers_search.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"log"
 	"net/http"
 )
 
@@ -10,6 +11,12 @@ type SearchRequest interface {
 
 func SearchHandler(templates *Templates, backend SearchRequest) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		if err := r.ParseForm(); err != nil {
+			log.Printf("Error parsing form: %v", err)
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
 		pattern := r.FormValue("pattern")
 		var results []SearchResult
 		if pattern != "" {

handlers_user.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"fmt"
+	"log"
 	"net/http"
 	"sort"
 	"strings"
@@ -15,6 +16,12 @@ type Authenticator interface {
 
 func LoginHandler(auth Authenticator) http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
+		if err := request.ParseForm(); err != nil {
+			log.Printf("Error parsing form: %v", err)
+			writer.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
 		username := request.FormValue("username")
 		password := request.FormValue("password")
 		redirect := request.FormValue("redirect")
@@ -38,6 +45,12 @@ func LoginHandler(auth Authenticator) http.HandlerFunc {
 
 func LogoutHandler() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
+		if err := request.ParseForm(); err != nil {
+			log.Printf("Error parsing form: %v", err)
+			writer.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
 		redirect := request.FormValue("redirect")
 
 		// Only allow relative redirects
@@ -96,6 +109,12 @@ func ModifyUserHandler(um UserModifier) http.HandlerFunc {
 			responsible = user.Name
 		}
 
+		if err := request.ParseForm(); err != nil {
+			log.Printf("Error parsing form: %v", err)
+			writer.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
 		user := request.FormValue("user")
 		action := request.FormValue("action")
 		if action == "password" {
@@ -155,6 +174,12 @@ func ModifyAccountHandler(pu PasswordUpdater) http.HandlerFunc {
 			return
 		}
 
+		if err := request.ParseForm(); err != nil {
+			log.Printf("Error parsing form: %v", err)
+			writer.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
 		action := request.FormValue("action")
 		if action == "password" {
 			if _, err := pu.Authenticate(user.Name, request.FormValue("password")); err != nil {