From 82d36a7bd8a447be7ad804ae189576ad82177fd5 Mon Sep 17 00:00:00 2001 From: Tim McGilchrist Date: Tue, 16 May 2023 08:38:03 +1000 Subject: [PATCH 1/6] Add lower bound for mimic in dream-mirage.opam --- dream-mirage.opam | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dream-mirage.opam b/dream-mirage.opam index 0c0e90f2..b0ada8ab 100644 --- a/dream-mirage.opam +++ b/dream-mirage.opam @@ -59,7 +59,7 @@ depends: [ "letsencrypt" {>= "0.3.0"} "lwt" "lwt_ppx" {>= "1.2.2"} - "mimic" + "mimic" {>= "0.0.6"} "mirage-time" "rresult" "tcpip" From ebb6d5705bcdad4ed535641fd2437a32d6e20aa0 Mon Sep 17 00:00:00 2001 From: Tim McGilchrist Date: Tue, 16 May 2023 10:49:02 +1000 Subject: [PATCH 2/6] Update Dream_mirage with remove deprecated values changes. Use Dream.csrf_tag instead. See https://github.com/aantron/dream/commit/e14bd91a4481fe36baa38347d3e3746ac545ddbe --- src/mirage/mirage.ml | 7 ------ src/mirage/mirage.mli | 55 +++++++++++++++++-------------------------- 2 files changed, 22 insertions(+), 40 deletions(-) diff --git a/src/mirage/mirage.ml b/src/mirage/mirage.ml index 6f5f5a09..86af0c20 100644 --- a/src/mirage/mirage.ml +++ b/src/mirage/mirage.ml @@ -343,13 +343,6 @@ module Make (Pclock : Mirage_clock.PCLOCK) (Time : Mirage_time.S) (Stack : Tcpip let verify_csrf_token = verify_csrf_token ~now let csrf_tag = Tag.csrf_tag ~now - (* Templates *) - - let form_tag ?method_ ?target ?enctype ?csrf_token ~action request = - Tag.form_tag ~now ?method_ ?target ?enctype ?csrf_token ~action request - - - (* Errors *) type error = Catch.error = { diff --git a/src/mirage/mirage.mli b/src/mirage/mirage.mli index 177860ed..99f8f31f 100644 --- a/src/mirage/mirage.mli +++ b/src/mirage/mirage.mli @@ -908,14 +908,15 @@ module Make (** {1 Forms} - {!Dream.form_tag} and {!Dream.val-form} round-trip secure forms. - {!Dream.form_tag} is used inside a template to generate a form header with a - CSRF token: + {!Dream.csrf_tag} and {!Dream.val-form} round-trip secure forms. + {!Dream.csrf_tag} is used inside a form template to generate a hidden field + with a CSRF token: {[ - <%s! Dream.form_tag ~action:"/" request %> - - +
+ <%s! Dream.csrf_tag request %> + +
]} {!Dream.val-form} recieves the form and checks the CSRF token: @@ -953,13 +954,13 @@ module Make val form : ?csrf:bool -> request -> (string * string) list form_result promise (** Parses the request body as a form. Performs CSRF checks. Use - {!Dream.form_tag} in a template to transparently generate forms that will + {!Dream.csrf_tag} in a template to transparently generate forms that will pass these checks. See {!section-templates} and example {{:https://github.com/aantron/dream/tree/master/example/d-form#readme} [d-form]}. - [Content-Type:] must be [application/x-www-form-urlencoded]. - - The form must have a field named [dream.csrf]. {!Dream.form_tag} adds such + - The form must have a field named [dream.csrf]. {!Dream.csrf_tag} adds such a field. - {!Dream.form} calls {!Dream.verify_csrf_token} to check the token in [dream.csrf]. @@ -1100,8 +1101,9 @@ module Make It's usually not necessary to handle CSRF tokens directly. - - Form tag generator {!Dream.form_tag} generates and inserts a CSRF token - that {!Dream.val-form} and {!Dream.val-multipart} transparently verify. + - CSRF token field generator {!Dream.csrf_tag} generates and inserts a CSRF + token that {!Dream.val-form} and {!Dream.val-multipart} transparently + verify. - AJAX can be protected from CSRF by {!Dream.origin_referrer_check}. CSRF functions are exposed for creating custom schemes, and for @@ -1136,8 +1138,6 @@ module Make val verify_csrf_token : request -> string -> csrf_result promise (** Checks that the CSRF token is valid for the {!type-request}'s session. *) - val csrf_tag : request -> string - (** {1 Templates} Dream includes a template preprocessor that allows interleaving OCaml and @@ -1223,20 +1223,13 @@ module Make unquoted attribute values, CSS in [