Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix open redirect vulnerability on login screen #4312

Merged
merged 4 commits into from Jun 26, 2018

Conversation

@jonasfranz
Copy link
Member

jonasfranz commented Jun 25, 2018

Fix #4307 by checking if URL is external before redirecting.

Affected:

  • 2FA
  • U2F
  • Normal login

jonasfranz added some commits Jun 25, 2018

Fix open redirect vulnerability on login screen
Signed-off-by: Jonas Franz <info@jonasfranz.software>
Reorder imports
Signed-off-by: Jonas Franz <info@jonasfranz.software>
Replace www. from Domain too
Signed-off-by: Jonas Franz <info@jonasfranz.software>
@codecov-io

This comment has been minimized.

Copy link

codecov-io commented Jun 25, 2018

Codecov Report

Merging #4312 into master will increase coverage by 0.01%.
The diff coverage is 60%.

Impacted file tree graph

@@            Coverage Diff            @@
##           master   #4312      +/-   ##
=========================================
+ Coverage   20.09%   20.1%   +0.01%     
=========================================
  Files         153     153              
  Lines       30696   30705       +9     
=========================================
+ Hits         6168    6174       +6     
- Misses      23586   23588       +2     
- Partials      942     943       +1
Impacted Files Coverage Δ
routers/user/auth.go 0% <0%> (ø) ⬆️
modules/util/util.go 36% <66.66%> (+6.73%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b8c2420...3913603. Read the comment docs.

@bkcsoft bkcsoft added the lgtm/need 2 label Jun 25, 2018

newTest(true,
"http://example.com"),
newTest(false,
"a/"),

This comment has been minimized.

Copy link
@lafriks

lafriks Jun 25, 2018

Member

Why is this false?

This comment has been minimized.

Copy link
@jonasfranz

jonasfranz Jun 25, 2018

Author Member

Because it is not external

"a/"),
newTest(false,
"https://try.gitea.io/test?param=false"),
newTest(false,

This comment has been minimized.

Copy link
@lafriks

lafriks Jun 25, 2018

Member

Same here

This comment has been minimized.

Copy link
@jonasfranz

jonasfranz Jun 25, 2018

Author Member

Because it is not external

"test?param=false"),
newTest(false,
"//try.gitea.io/test?param=false"),
newTest(false,

This comment has been minimized.

Copy link
@lafriks

lafriks Jun 25, 2018

Member

And here

This comment has been minimized.

Copy link
@jonasfranz

jonasfranz Jun 25, 2018

Author Member

Because it is not external

@techknowlogick techknowlogick added this to the 1.5.0 milestone Jun 25, 2018

@bkcsoft bkcsoft added lgtm/need 1 and removed lgtm/need 2 labels Jun 25, 2018

@lunny

This comment has been minimized.

Copy link
Member

lunny commented Jun 26, 2018

LGTM

@bkcsoft bkcsoft added lgtm/done and removed lgtm/need 1 labels Jun 26, 2018

@strk

strk approved these changes Jun 26, 2018

Copy link
Member

strk left a comment

Looks good, thanks!

@lunny lunny merged commit 801843b into go-gitea:master Jun 26, 2018

2 checks passed

approvals/lgtm this commit looks good
continuous-integration/drone/pr the build was successful
Details
@techknowlogick

This comment has been minimized.

Copy link
Member

techknowlogick commented Jun 26, 2018

@JonasFranzDEV could you backport this to 1.4 as well?

@bkcsoft

This comment has been minimized.

Copy link
Member

bkcsoft commented Jun 26, 2018

I'm working on a backport to 1.4

bkcsoft added a commit that referenced this pull request Jun 26, 2018

@bkcsoft bkcsoft referenced this pull request Jun 26, 2018

Merged

Backport #4312 to v1.4 #4320

bkcsoft added a commit that referenced this pull request Jun 26, 2018

@jonasfranz jonasfranz deleted the jonasfranz:fix-open-redirect branch Jun 27, 2018

@sapk sapk referenced this pull request Jun 28, 2018

Closed

Open redirect vulnerability on 2FA #4307

2 of 7 tasks complete
if err != nil {
return true
}
if len(parsed.Host) != 0 && strings.Replace(parsed.Host, "www.", "", 1) != strings.Replace(setting.Domain, "www.", "", 1) {

This comment has been minimized.

Copy link
@sapk

sapk Jun 28, 2018

Member

@ghost ghost referenced this pull request Jun 28, 2018

Open

Open Redirect vulnerability on internal links #4332

1 of 7 tasks complete

HoffmannP pushed a commit to HoffmannP/gitea that referenced this pull request Nov 14, 2018

Fix open redirect vulnerability on login screen (go-gitea#4312)
* Fix open redirect vulnerability on login screen

Signed-off-by: Jonas Franz <info@jonasfranz.software>

* Reorder imports

Signed-off-by: Jonas Franz <info@jonasfranz.software>

* Replace www. from Domain too

Signed-off-by: Jonas Franz <info@jonasfranz.software>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.