New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not display the raw OpenID error in the UI #5705

Merged
merged 4 commits into from Jan 12, 2019

Conversation

5 participants
@zeripath
Copy link
Contributor

zeripath commented Jan 11, 2019

If there are no WHITELIST_URIS or BLACKLIST_URIS set in the openid
section of the app.ini, it is possible that Gitea can leak sensitive
information about the local network through the error provided by the
UI. This PR hides the error information and logs it.

Fix #4973

Signed-off-by: Andrew Thornton art27@cantab.net

Do not display the raw OpenID error in the UI
If there are no `WHITELIST_URIS` or `BLACKLIST_URIS` set in the openid
section of the app.ini, it is possible that gitea can leak sensitive
information about the local network through the error provided by the
UI. This PR hides the error information and logs it.

Fix #4973

Signed-off-by: Andrew Thornton <art27@cantab.net>
Show resolved Hide resolved routers/user/auth_openid.go Outdated
Update auth_openid.go
Place error log within the `err != nil` branch.
@codecov-io

This comment has been minimized.

Copy link

codecov-io commented Jan 12, 2019

Codecov Report

❗️ No coverage uploaded for pull request base (master@bf7a112). Click here to learn what that means.
The diff coverage is 0%.

Impacted file tree graph

@@            Coverage Diff            @@
##             master    #5705   +/-   ##
=========================================
  Coverage          ?   37.76%           
=========================================
  Files             ?      323           
  Lines             ?    47596           
  Branches          ?        0           
=========================================
  Hits              ?    17974           
  Misses            ?    27032           
  Partials          ?     2590
Impacted Files Coverage Δ
routers/user/auth_openid.go 0% <0%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bf7a112...4b76b48. Read the comment docs.

@lunny

lunny approved these changes Jan 12, 2019

@bkcsoft bkcsoft added lgtm/done and removed lgtm/need 1 labels Jan 12, 2019

techknowlogick added some commits Jan 12, 2019

@techknowlogick techknowlogick merged commit 2b36bdd into go-gitea:master Jan 12, 2019

2 checks passed

approvals/lgtm this commit looks good
continuous-integration/drone/pr the build was successful
Details

@zeripath zeripath deleted the zeripath:issue-4793-ssrf-in-openid branch Jan 13, 2019

zeripath added a commit to zeripath/gitea that referenced this pull request Jan 13, 2019

Do not display the raw OpenID error in the UI (go-gitea#5705)
* Do not display the raw OpenID error in the UI

If there are no `WHITELIST_URIS` or `BLACKLIST_URIS` set in the openid
section of the app.ini, it is possible that gitea can leak sensitive
information about the local network through the error provided by the
UI. This PR hides the error information and logs it.

Fix go-gitea#4973

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update auth_openid.go

Place error log within the `err != nil` branch.

techknowlogick added a commit that referenced this pull request Jan 13, 2019

Do not display the raw OpenID error in the UI (#5705) (#5712)
* Do not display the raw OpenID error in the UI

If there are no `WHITELIST_URIS` or `BLACKLIST_URIS` set in the openid
section of the app.ini, it is possible that gitea can leak sensitive
information about the local network through the error provided by the
UI. This PR hides the error information and logs it.

Fix #4973

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update auth_openid.go

Place error log within the `err != nil` branch.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment