auth: few security improvements

gogs.go

@@ -16,7 +16,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-const APP_VER = "0.9.141.0211"
+const APP_VER = "0.9.142.0211"
 
 func init() {
 	setting.AppVer = APP_VER

routers/user/auth.go

@@ -55,8 +55,7 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
 		return false, nil
 	}
 
-	if val, _ := ctx.GetSuperSecureCookie(
-		base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); val != u.Name {
+	if val, ok := ctx.GetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name {
 		return false, nil
 	}
 
@@ -67,6 +66,13 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
 	return true, nil
 }
 
+// isValidRedirect returns false if the URL does not redirect to same site.
+// False: //url, http://url
+// True: /url
+func isValidRedirect(url string) bool {
+	return len(url) >= 2 && url[0] == '/' && url[1] != '/'
+}
+
 func SignIn(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("sign_in")
 
@@ -83,10 +89,10 @@ func SignIn(ctx *context.Context) {
 	} else {
 		redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to"))
 	}
+	ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl)
 
 	if isSucceed {
-		if len(redirectTo) > 0 {
-			ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl)
+		if isValidRedirect(redirectTo) {
 			ctx.Redirect(redirectTo)
 		} else {
 			ctx.Redirect(setting.AppSubUrl + "/")
@@ -128,8 +134,9 @@ func SignInPost(ctx *context.Context, form auth.SignInForm) {
 	// Clear whatever CSRF has right now, force to generate a new one
 	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubUrl)
 
-	if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
+	redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to"))
 	ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl)
+	if isValidRedirect(redirectTo) {
 		ctx.Redirect(redirectTo)
 		return
 	}

templates/.VERSION

@@ -1 +1 @@
-0.9.141.0211
+0.9.142.0211