diff options
| author | Unknwon <u@gogs.io> | 2017-02-11 07:12:06 -0500 |
|---|---|---|
| committer | Unknwon <u@gogs.io> | 2017-02-11 07:12:06 -0500 |
| commit | 0ae666f3e62b3a569ca2d4a1cbdab2089bd02cfc (patch) | |
| tree | fdd5d3cef37ace861681e522d805ea4661ea429c /routers/user | |
| parent | 23f2efa8c1e21957f950424bfdbdc684ba64b56f (diff) | |
auth: few security improvements
Diffstat (limited to 'routers/user')
| -rw-r--r-- | routers/user/auth.go | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/routers/user/auth.go b/routers/user/auth.go index 7b9f098b..10cee51c 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -55,8 +55,7 @@ func AutoSignIn(ctx *context.Context) (bool, error) { return false, nil } - if val, _ := ctx.GetSuperSecureCookie( - base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); val != u.Name { + if val, ok := ctx.GetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name { return false, nil } @@ -67,6 +66,13 @@ func AutoSignIn(ctx *context.Context) (bool, error) { return true, nil } +// isValidRedirect returns false if the URL does not redirect to same site. +// False: //url, http://url +// True: /url +func isValidRedirect(url string) bool { + return len(url) >= 2 && url[0] == '/' && url[1] != '/' +} + func SignIn(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("sign_in") @@ -83,10 +89,10 @@ func SignIn(ctx *context.Context) { } else { redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to")) } + ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl) if isSucceed { - if len(redirectTo) > 0 { - ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl) + if isValidRedirect(redirectTo) { ctx.Redirect(redirectTo) } else { ctx.Redirect(setting.AppSubUrl + "/") @@ -128,8 +134,9 @@ func SignInPost(ctx *context.Context, form auth.SignInForm) { // Clear whatever CSRF has right now, force to generate a new one ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubUrl) - if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 { - ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl) + redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")) + ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl) + if isValidRedirect(redirectTo) { ctx.Redirect(redirectTo) return } |