Browse Source

auth: few security improvements

pull/4116/head
Unknwon 8 years ago
parent
commit
0ae666f3e6
No known key found for this signature in database
GPG Key ID: 25B575AE3213B2B3
  1. 2
      gogs.go
  2. 19
      routers/user/auth.go
  3. 2
      templates/.VERSION

2
gogs.go

@ -16,7 +16,7 @@ import (
"github.com/gogits/gogs/modules/setting" "github.com/gogits/gogs/modules/setting"
) )
const APP_VER = "0.9.141.0211" const APP_VER = "0.9.142.0211"
func init() { func init() {
setting.AppVer = APP_VER setting.AppVer = APP_VER

19
routers/user/auth.go

@ -55,8 +55,7 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
return false, nil return false, nil
} }
if val, _ := ctx.GetSuperSecureCookie( if val, ok := ctx.GetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name {
base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); val != u.Name {
return false, nil return false, nil
} }
@ -67,6 +66,13 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
return true, nil return true, nil
} }
// isValidRedirect returns false if the URL does not redirect to same site.
// False: //url, http://url
// True: /url
func isValidRedirect(url string) bool {
return len(url) >= 2 && url[0] == '/' && url[1] != '/'
}
func SignIn(ctx *context.Context) { func SignIn(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("sign_in") ctx.Data["Title"] = ctx.Tr("sign_in")
@ -83,10 +89,10 @@ func SignIn(ctx *context.Context) {
} else { } else {
redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to")) redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to"))
} }
ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl)
if isSucceed { if isSucceed {
if len(redirectTo) > 0 { if isValidRedirect(redirectTo) {
ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl)
ctx.Redirect(redirectTo) ctx.Redirect(redirectTo)
} else { } else {
ctx.Redirect(setting.AppSubUrl + "/") ctx.Redirect(setting.AppSubUrl + "/")
@ -128,8 +134,9 @@ func SignInPost(ctx *context.Context, form auth.SignInForm) {
// Clear whatever CSRF has right now, force to generate a new one // Clear whatever CSRF has right now, force to generate a new one
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubUrl) ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubUrl)
if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 { redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to"))
ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl) ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl)
if isValidRedirect(redirectTo) {
ctx.Redirect(redirectTo) ctx.Redirect(redirectTo)
return return
} }

2
templates/.VERSION

@ -1 +1 @@
0.9.141.0211 0.9.142.0211
Loading…
Cancel
Save