Browse Source

vendor: update github.com/go-macaron/session (#5469)

Fix security flaw reported by c957861129d62331c5704d2f04d11e41.
develop
Unknwon 6 years ago
parent
commit
b93079f1c1
No known key found for this signature in database
GPG Key ID: 25B575AE3213B2B3
  1. 2
      gogs.go
  2. 2
      templates/.VERSION
  3. 2
      vendor/github.com/go-macaron/session/README.md
  4. 18
      vendor/github.com/go-macaron/session/session.go
  5. 6
      vendor/vendor.json

2
gogs.go

@ -16,7 +16,7 @@ import (
"github.com/gogs/gogs/pkg/setting"
)
const APP_VER = "0.11.68.1023"
const APP_VER = "0.11.69.1024"
func init() {
setting.AppVer = APP_VER

2
templates/.VERSION

@ -1 +1 @@
0.11.68.1023
0.11.69.1024

2
vendor/github.com/go-macaron/session/README.md generated vendored

@ -4,6 +4,8 @@ Middleware session provides session management for [Macaron](https://github.com/
### Installation
The minimum requirement of Go is 1.6 (*1.7 if using Redis, 1.8 if using MySQL*).
go get github.com/go-macaron/session
## Getting Help

18
vendor/github.com/go-macaron/session/session.go generated vendored

@ -18,15 +18,17 @@ package session
import (
"encoding/hex"
"errors"
"fmt"
"net/http"
"net/url"
"strings"
"time"
"gopkg.in/macaron.v1"
)
const _VERSION = "0.3.0"
const _VERSION = "0.4.0"
func Version() string {
return _VERSION
@ -245,8 +247,8 @@ func NewManager(name string, opt Options) (*Manager, error) {
return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig)
}
// sessionId generates a new session ID with rand string, unix nano time, remote addr by hash function.
func (m *Manager) sessionId() string {
// sessionID generates a new session ID with rand string, unix nano time, remote addr by hash function.
func (m *Manager) sessionID() string {
return hex.EncodeToString(generateRandomKey(m.opt.IDLength / 2))
}
@ -258,7 +260,7 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {
return m.provider.Read(sid)
}
sid = m.sessionId()
sid = m.sessionID()
sess, err := m.provider.Read(sid)
if err != nil {
return nil, err
@ -282,6 +284,12 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {
// Read returns raw session store by session ID.
func (m *Manager) Read(sid string) (RawStore, error) {
// No slashes or dots "./" should ever occur in the sid and to prevent session file forgery bug.
// See https://github.com/gogs/gogs/issues/5469
if strings.ContainsAny(sid, "./") {
return nil, errors.New("invalid 'sid': " + sid)
}
return m.provider.Read(sid)
}
@ -308,7 +316,7 @@ func (m *Manager) Destory(ctx *macaron.Context) error {
// RegenerateId regenerates a session store from old session ID to new one.
func (m *Manager) RegenerateId(ctx *macaron.Context) (sess RawStore, err error) {
sid := m.sessionId()
sid := m.sessionID()
oldsid := ctx.GetCookie(m.opt.CookieName)
sess, err = m.provider.Regenerate(oldsid, sid)
if err != nil {

6
vendor/vendor.json vendored

@ -135,10 +135,10 @@
"revisionTime": "2016-06-27T17:00:12Z"
},
{
"checksumSHA1": "gO0dj0NqsmBTkf4D0JzJDtOEx+U=",
"checksumSHA1": "DsbAcljMg4dSIIf6N/RJEJY6nTk=",
"path": "github.com/go-macaron/session",
"revision": "b8e286a0dba8f4999042d6b258daf51b31d08938",
"revisionTime": "2017-03-20T17:22:09Z"
"revision": "487775536c781f5fd19b36c9421b79ba2b8a119d",
"revisionTime": "2018-10-24T13:41:25Z"
},
{
"checksumSHA1": "jVW5CmzplA0UDjai0AFYJFVXAJk=",

Loading…
Cancel
Save