diff --git a/gogs.go b/gogs.go index 756b06a9a..14de15ff4 100644 --- a/gogs.go +++ b/gogs.go @@ -16,7 +16,7 @@ import ( "github.com/gogs/gogs/pkg/setting" ) -const APP_VER = "0.11.68.1023" +const APP_VER = "0.11.69.1024" func init() { setting.AppVer = APP_VER diff --git a/templates/.VERSION b/templates/.VERSION index 17dd7a7c2..444de06fd 100644 --- a/templates/.VERSION +++ b/templates/.VERSION @@ -1 +1 @@ -0.11.68.1023 +0.11.69.1024 diff --git a/vendor/github.com/go-macaron/session/README.md b/vendor/github.com/go-macaron/session/README.md index b11bd4a79..fe4f4ba1b 100644 --- a/vendor/github.com/go-macaron/session/README.md +++ b/vendor/github.com/go-macaron/session/README.md @@ -4,6 +4,8 @@ Middleware session provides session management for [Macaron](https://github.com/ ### Installation +The minimum requirement of Go is 1.6 (*1.7 if using Redis, 1.8 if using MySQL*). + go get github.com/go-macaron/session ## Getting Help diff --git a/vendor/github.com/go-macaron/session/session.go b/vendor/github.com/go-macaron/session/session.go index 7e7b833c5..e17c5e743 100644 --- a/vendor/github.com/go-macaron/session/session.go +++ b/vendor/github.com/go-macaron/session/session.go @@ -18,15 +18,17 @@ package session import ( "encoding/hex" + "errors" "fmt" "net/http" "net/url" + "strings" "time" "gopkg.in/macaron.v1" ) -const _VERSION = "0.3.0" +const _VERSION = "0.4.0" func Version() string { return _VERSION @@ -245,8 +247,8 @@ func NewManager(name string, opt Options) (*Manager, error) { return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig) } -// sessionId generates a new session ID with rand string, unix nano time, remote addr by hash function. -func (m *Manager) sessionId() string { +// sessionID generates a new session ID with rand string, unix nano time, remote addr by hash function. +func (m *Manager) sessionID() string { return hex.EncodeToString(generateRandomKey(m.opt.IDLength / 2)) } @@ -258,7 +260,7 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) { return m.provider.Read(sid) } - sid = m.sessionId() + sid = m.sessionID() sess, err := m.provider.Read(sid) if err != nil { return nil, err @@ -282,6 +284,12 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) { // Read returns raw session store by session ID. func (m *Manager) Read(sid string) (RawStore, error) { + // No slashes or dots "./" should ever occur in the sid and to prevent session file forgery bug. + // See https://github.com/gogs/gogs/issues/5469 + if strings.ContainsAny(sid, "./") { + return nil, errors.New("invalid 'sid': " + sid) + } + return m.provider.Read(sid) } @@ -308,7 +316,7 @@ func (m *Manager) Destory(ctx *macaron.Context) error { // RegenerateId regenerates a session store from old session ID to new one. func (m *Manager) RegenerateId(ctx *macaron.Context) (sess RawStore, err error) { - sid := m.sessionId() + sid := m.sessionID() oldsid := ctx.GetCookie(m.opt.CookieName) sess, err = m.provider.Regenerate(oldsid, sid) if err != nil { diff --git a/vendor/vendor.json b/vendor/vendor.json index 784db9fc0..69055a1a4 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -135,10 +135,10 @@ "revisionTime": "2016-06-27T17:00:12Z" }, { - "checksumSHA1": "gO0dj0NqsmBTkf4D0JzJDtOEx+U=", + "checksumSHA1": "DsbAcljMg4dSIIf6N/RJEJY6nTk=", "path": "github.com/go-macaron/session", - "revision": "b8e286a0dba8f4999042d6b258daf51b31d08938", - "revisionTime": "2017-03-20T17:22:09Z" + "revision": "487775536c781f5fd19b36c9421b79ba2b8a119d", + "revisionTime": "2018-10-24T13:41:25Z" }, { "checksumSHA1": "jVW5CmzplA0UDjai0AFYJFVXAJk=",