aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--gogs.go2
-rw-r--r--routers/user/auth.go19
-rw-r--r--templates/.VERSION2
3 files changed, 15 insertions, 8 deletions
diff --git a/gogs.go b/gogs.go
index da1030e2..805758d3 100644
--- a/gogs.go
+++ b/gogs.go
@@ -16,7 +16,7 @@ import (
"github.com/gogits/gogs/modules/setting"
)
-const APP_VER = "0.9.141.0211"
+const APP_VER = "0.9.142.0211"
func init() {
setting.AppVer = APP_VER
diff --git a/routers/user/auth.go b/routers/user/auth.go
index 7b9f098b..10cee51c 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -55,8 +55,7 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
return false, nil
}
- if val, _ := ctx.GetSuperSecureCookie(
- base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); val != u.Name {
+ if val, ok := ctx.GetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name {
return false, nil
}
@@ -67,6 +66,13 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
return true, nil
}
+// isValidRedirect returns false if the URL does not redirect to same site.
+// False: //url, http://url
+// True: /url
+func isValidRedirect(url string) bool {
+ return len(url) >= 2 && url[0] == '/' && url[1] != '/'
+}
+
func SignIn(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("sign_in")
@@ -83,10 +89,10 @@ func SignIn(ctx *context.Context) {
} else {
redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to"))
}
+ ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl)
if isSucceed {
- if len(redirectTo) > 0 {
- ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl)
+ if isValidRedirect(redirectTo) {
ctx.Redirect(redirectTo)
} else {
ctx.Redirect(setting.AppSubUrl + "/")
@@ -128,8 +134,9 @@ func SignInPost(ctx *context.Context, form auth.SignInForm) {
// Clear whatever CSRF has right now, force to generate a new one
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubUrl)
- if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
- ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl)
+ redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to"))
+ ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl)
+ if isValidRedirect(redirectTo) {
ctx.Redirect(redirectTo)
return
}
diff --git a/templates/.VERSION b/templates/.VERSION
index 44ec5fd0..c2425b81 100644
--- a/templates/.VERSION
+++ b/templates/.VERSION
@@ -1 +1 @@
-0.9.141.0211 \ No newline at end of file
+0.9.142.0211 \ No newline at end of file
Powered by cgit, Themed by Ted Yin.