Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

routers/user: ensure that decryption of cookie actually suceeds #7363

Merged
merged 2 commits into from
Jul 6, 2019
Merged

routers/user: ensure that decryption of cookie actually suceeds #7363

merged 2 commits into from
Jul 6, 2019

Conversation

leonklingele
Copy link
Contributor

Previously, only the first return value of ctx.GetSuperSecureCookie
was used to check whether decryption of the auth cookie succeeded.
ctx.GetSuperSecureCookie also returns a second value, a boolean,
indicating success or not. That value should be checked first to
be on the safe side and not rely on internal logic of the encryption
and decryption blackbox.

@leonklingele
routers/user: ensure that decryption of cookie actually suceeds
f6085e4 
Previously, only the first return value of ctx.GetSuperSecureCookie
was used to check whether decryption of the auth cookie succeeded.
ctx.GetSuperSecureCookie also returns a second value, a boolean,
indicating success or not. That value should be checked first to
be on the safe side and not rely on internal logic of the encryption
and decryption blackbox.
@leonklingele leonklingele force-pushed the security-auth-check-cookie-decrypt-success branch from a1553b3 to f6085e4 Compare July 5, 2019 23:17
@leonklingele leonklingele changed the title routers/users: ensure that decryption of cookie actually suceeds routers/user: ensure that decryption of cookie actually suceeds Jul 5, 2019
@leonklingele
Copy link
Contributor Author

Fixed typo in commit message.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jul 5, 2019
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jul 6, 2019
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jul 6, 2019
@lunny
Copy link
Member

lunny commented Jul 6, 2019

make LGTM work

@lunny lunny merged commit 96b66e3 into go-gitea:master Jul 6, 2019
@lafriks lafriks added this to the 1.9.0 milestone Jul 6, 2019
@lafriks lafriks added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Jul 6, 2019
jeffliu27 pushed a commit to jeffliu27/gitea that referenced this pull request Jul 18, 2019
@leonklingele @jeffliu27
routers/user: ensure that decryption of cookie actually suceeds (go-g…
a39f022 
…itea#7363)

Previously, only the first return value of ctx.GetSuperSecureCookie
was used to check whether decryption of the auth cookie succeeded.
ctx.GetSuperSecureCookie also returns a second value, a boolean,
indicating success or not. That value should be checked first to
be on the safe side and not rely on internal logic of the encryption
and decryption blackbox.
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@zeripath zeripath zeripath approved these changes

@lunny lunny lunny approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Milestone
1.9.0
Development

Successfully merging this pull request may close these issues.
5 participants
@leonklingele @lunny @zeripath @lafriks @GiteaBot