Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not display the raw OpenID error in the UI #5705

Merged
merged 4 commits into from
Jan 12, 2019
Merged

Do not display the raw OpenID error in the UI #5705

merged 4 commits into from
Jan 12, 2019

Conversation

zeripath
Copy link
Contributor

If there are no WHITELIST_URIS or BLACKLIST_URIS set in the openid
section of the app.ini, it is possible that Gitea can leak sensitive
information about the local network through the error provided by the
UI. This PR hides the error information and logs it.

Fix #4973

Signed-off-by: Andrew Thornton [email protected]

@zeripath
Do not display the raw OpenID error in the UI
9749661 
If there are no `WHITELIST_URIS` or `BLACKLIST_URIS` set in the openid
section of the app.ini, it is possible that gitea can leak sensitive
information about the local network through the error provided by the
UI. This PR hides the error information and logs it.

Fix go-gitea#4973

Signed-off-by: Andrew Thornton <[email protected]>
@bkcsoft bkcsoft added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Jan 12, 2019
@techknowlogick techknowlogick added topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! backport/v1.7 labels Jan 12, 2019
@techknowlogick techknowlogick added this to the 1.8.0 milestone Jan 12, 2019
lunny
lunny requested changes Jan 12, 2019
View reviewed changes
routers/user/auth_openid.go Outdated Show resolved Hide resolved
@zeripath
Update auth_openid.go
6b08894 
Place error log within the `err != nil` branch.
@codecov-io
Copy link

codecov-io commented Jan 12, 2019
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (master@bf7a112). Click here to learn what that means.
The diff coverage is 0%.

Impacted file tree graph

@@            Coverage Diff            @@
##             master    #5705   +/-   ##
=========================================
  Coverage          ?   37.76%           
=========================================
  Files             ?      323           
  Lines             ?    47596           
  Branches          ?        0           
=========================================
  Hits              ?    17974           
  Misses            ?    27032           
  Partials          ?     2590
Impacted Files Coverage Δ
routers/user/auth_openid.go 0% <0%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bf7a112...4b76b48. Read the comment docs.

@bkcsoft bkcsoft added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jan 12, 2019
@techknowlogick techknowlogick merged commit 2b36bdd into go-gitea:master Jan 12, 2019
@zeripath zeripath deleted the issue-4793-ssrf-in-openid branch January 13, 2019 08:19
zeripath added a commit to zeripath/gitea that referenced this pull request Jan 13, 2019
@zeripath
Do not display the raw OpenID error in the UI (go-gitea#5705)
318527a 
* Do not display the raw OpenID error in the UI

If there are no `WHITELIST_URIS` or `BLACKLIST_URIS` set in the openid
section of the app.ini, it is possible that gitea can leak sensitive
information about the local network through the error provided by the
UI. This PR hides the error information and logs it.

Fix go-gitea#4973

Signed-off-by: Andrew Thornton <[email protected]>

* Update auth_openid.go

Place error log within the `err != nil` branch.
techknowlogick pushed a commit that referenced this pull request Jan 13, 2019
@zeripath @techknowlogick
Do not display the raw OpenID error in the UI (#5705) (#5712)
e9c4609 
* Do not display the raw OpenID error in the UI

If there are no `WHITELIST_URIS` or `BLACKLIST_URIS` set in the openid
section of the app.ini, it is possible that gitea can leak sensitive
information about the local network through the error provided by the
UI. This PR hides the error information and logs it.

Fix #4973

Signed-off-by: Andrew Thornton <[email protected]>

* Update auth_openid.go

Place error log within the `err != nil` branch.
@techknowlogick techknowlogick added the backport/done All backports for this PR have been created label Jan 13, 2019
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lunny lunny lunny approved these changes

@techknowlogick techknowlogick techknowlogick approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Milestone
1.8.0
Development

Successfully merging this pull request may close these issues.
5 participants
@zeripath @codecov-io @lunny @techknowlogick @bkcsoft