From 37eab31f6894d3126a47208fd42036a8262a58b8 Mon Sep 17 00:00:00 2001 From: Will Norris Date: Wed, 30 Aug 2023 11:20:02 -0700 Subject: [PATCH] client/web: simply csrf key caching in cgi mode Instead of trying to use the user config dir, and then fail back to the OS temp dir, just always use the temp dir. Also use a filename that is less likely to cause collisions. This addresses an issue on a test synology instance that was mysteriously failing because there was a file at /tmp/tailscale. We could still technically run into this issue if a /tmp/tailscale-web-csrf.key file exists, but that seems far less likely. Updates tailscale/corp#13775 Signed-off-by: Will Norris --- client/web/web.go | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/client/web/web.go b/client/web/web.go index 9879318be..71c2b1616 100644 --- a/client/web/web.go +++ b/client/web/web.go @@ -456,16 +456,10 @@ var localapiAllowlist = []string{ // If the server is running in CGI mode, the key is cached to disk and reused between requests. // If an error occurs during key storage, the error is logged and the active process terminated. func (s *Server) csrfKey() []byte { - var csrfFile string + csrfFile := filepath.Join(os.TempDir(), "tailscale-web-csrf.key") // if running in CGI mode, try to read from disk, but ignore errors if s.cgiMode { - confdir, err := os.UserConfigDir() - if err != nil { - confdir = os.TempDir() - } - - csrfFile = filepath.Join(confdir, "tailscale", "web-csrf.key") key, _ := os.ReadFile(csrfFile) if len(key) == 32 { return key @@ -480,9 +474,6 @@ func (s *Server) csrfKey() []byte { // if running in CGI mode, try to write the newly created key to disk, and exit if it fails. if s.cgiMode { - if err := os.Mkdir(filepath.Dir(csrfFile), 0700); err != nil && !os.IsExist(err) { - log.Fatalf("unable to store CSRF key: %v", err) - } if err := os.WriteFile(csrfFile, key, 0600); err != nil { log.Fatalf("unable to store CSRF key: %v", err) }