Security: fix XSS attack on milestone

Reported by Miguel Ángel Jimeno.
author: Unknwon <u@gogs.io> 2017-02-17 08:06:48 -0500
committer: Unknwon <u@gogs.io> 2017-02-17 08:06:48 -0500
commit: 5155f026b4d6a66eb58f4dba371c047fbee932e5 (patch)
tree: b26a4765ad180fc8f348e9050bc44a516da48592 /routers/repo
parent: d521e716dd59617dbbb637a3e8028bf4a5c6f849 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/routers/repo/http.go b/routers/repo/http.go
index f2f1110b..c3cec9e3 100644
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@@ -95,7 +95,7 @@ func HTTPContexter() macaron.Handler {
 
 		authUser, err := models.UserSignIn(authUsername, authPassword)
 		if err != nil && !models.IsErrUserNotExist(err) {
-			ctx.Handle(http.StatusInternalServerError, "UserSignIn: %v", err)
+			ctx.Handle(http.StatusInternalServerError, "UserSignIn", err)
 			return
 		}
 
@@ -103,7 +103,11 @@ func HTTPContexter() macaron.Handler {
 		if authUser == nil {
 			token, err := models.GetAccessTokenBySHA(authUsername)
 			if err != nil {
-				ctx.NotFoundOrServerError("GetAccessTokenBySHA", models.IsErrAccessTokenNotExist, err)
+				if models.IsErrAccessTokenEmpty(err) || models.IsErrAccessTokenNotExist(err) {
+					ctx.Error(http.StatusUnauthorized)
+				} else {
+					ctx.Handle(http.StatusInternalServerError, "GetAccessTokenBySHA", err)
+				}
 				return
 			}
 			token.Updated = time.Now()
author	Unknwon <u@gogs.io>	2017-02-17 08:06:48 -0500
committer	Unknwon <u@gogs.io>	2017-02-17 08:06:48 -0500
commit	5155f026b4d6a66eb58f4dba371c047fbee932e5 (patch)
tree	b26a4765ad180fc8f348e9050bc44a516da48592 /routers/repo
parent	d521e716dd59617dbbb637a3e8028bf4a5c6f849 (diff)