aboutsummaryrefslogtreecommitdiff
path: root/vendor/github.com
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com')
-rw-r--r--vendor/github.com/go-macaron/session/README.md2
-rw-r--r--vendor/github.com/go-macaron/session/session.go18
2 files changed, 15 insertions, 5 deletions
diff --git a/vendor/github.com/go-macaron/session/README.md b/vendor/github.com/go-macaron/session/README.md
index b11bd4a7..fe4f4ba1 100644
--- a/vendor/github.com/go-macaron/session/README.md
+++ b/vendor/github.com/go-macaron/session/README.md
@@ -4,6 +4,8 @@ Middleware session provides session management for [Macaron](https://github.com/
### Installation
+The minimum requirement of Go is 1.6 (*1.7 if using Redis, 1.8 if using MySQL*).
+
go get github.com/go-macaron/session
## Getting Help
diff --git a/vendor/github.com/go-macaron/session/session.go b/vendor/github.com/go-macaron/session/session.go
index 7e7b833c..e17c5e74 100644
--- a/vendor/github.com/go-macaron/session/session.go
+++ b/vendor/github.com/go-macaron/session/session.go
@@ -18,15 +18,17 @@ package session
import (
"encoding/hex"
+ "errors"
"fmt"
"net/http"
"net/url"
+ "strings"
"time"
"gopkg.in/macaron.v1"
)
-const _VERSION = "0.3.0"
+const _VERSION = "0.4.0"
func Version() string {
return _VERSION
@@ -245,8 +247,8 @@ func NewManager(name string, opt Options) (*Manager, error) {
return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig)
}
-// sessionId generates a new session ID with rand string, unix nano time, remote addr by hash function.
-func (m *Manager) sessionId() string {
+// sessionID generates a new session ID with rand string, unix nano time, remote addr by hash function.
+func (m *Manager) sessionID() string {
return hex.EncodeToString(generateRandomKey(m.opt.IDLength / 2))
}
@@ -258,7 +260,7 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {
return m.provider.Read(sid)
}
- sid = m.sessionId()
+ sid = m.sessionID()
sess, err := m.provider.Read(sid)
if err != nil {
return nil, err
@@ -282,6 +284,12 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {
// Read returns raw session store by session ID.
func (m *Manager) Read(sid string) (RawStore, error) {
+ // No slashes or dots "./" should ever occur in the sid and to prevent session file forgery bug.
+ // See https://github.com/gogs/gogs/issues/5469
+ if strings.ContainsAny(sid, "./") {
+ return nil, errors.New("invalid 'sid': " + sid)
+ }
+
return m.provider.Read(sid)
}
@@ -308,7 +316,7 @@ func (m *Manager) Destory(ctx *macaron.Context) error {
// RegenerateId regenerates a session store from old session ID to new one.
func (m *Manager) RegenerateId(ctx *macaron.Context) (sess RawStore, err error) {
- sid := m.sessionId()
+ sid := m.sessionID()
oldsid := ctx.GetCookie(m.opt.CookieName)
sess, err = m.provider.Regenerate(oldsid, sid)
if err != nil {
Powered by cgit, Themed by Ted Yin.