Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Shadow the password on cache and session config on admin panel #7300

merged 4 commits into from Jun 26, 2019


Copy link

commented Jun 26, 2019

will fix #7147

@lunny lunny added the kind/security label Jun 26, 2019

@lunny lunny added this to the 1.9.0 milestone Jun 26, 2019


sapk approved these changes Jun 26, 2019


This comment has been minimized.

Copy link

commented Jun 26, 2019

Codecov Report

Merging #7300 into master will increase coverage by 0.03%.
The diff coverage is 78.26%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #7300      +/-   ##
+ Coverage    41.2%   41.23%   +0.03%     
  Files         464      464              
  Lines       62788    62832      +44     
+ Hits        25873    25911      +38     
- Misses      33524    33529       +5     
- Partials     3391     3392       +1
Impacted Files Coverage Δ
routers/admin/admin.go 16.66% <78.26%> (+16.66%) ⬆️
modules/log/event.go 65.64% <0%> (+1.02%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 42729b7...f0f43ca. Read the comment docs.

@@ -202,6 +202,17 @@ func SendTestMail(ctx *context.Context) {
ctx.Redirect(setting.AppSubURL + "/admin/config")

func shadowPassword(cfgItem string) string {
fields := strings.Split(cfgItem, ",")

This comment has been minimized.

Copy link

mrsdizzie Jun 26, 2019


I think there need to be more than one check, since the config strings can be different for MySQL and redis. This seems to fix for redis, but not MySQL. In the example from #7147, the session provider connection string is:


This format uses DSN, so the password is optional:

Maybe it you can also pass in the adapter/provider to shadowPassword and then know if it is Redis/MySQL and check based on that.

This comment has been minimized.

Copy link

lunny Jun 26, 2019

Author Member

OK. Will fix that.


This comment has been minimized.

Copy link
Member Author

commented Jun 26, 2019

@mrsdizzie done with test.

@GiteaBot GiteaBot added lgtm/done and removed lgtm/need 1 labels Jun 26, 2019

@lunny lunny merged commit 161e12e into go-gitea:master Jun 26, 2019

2 checks passed

approvals/lgtm this commit looks good
continuous-integration/drone/pr Build is passing

@lunny lunny deleted the lunny:lunny/fix_config_security branch Jun 26, 2019

jeffliu27 added a commit to jeffliu27/gitea that referenced this pull request Jul 18, 2019

Shadow the password on cache and session config on admin panel (go-gi…

* shadow the password on cache and session config on admin panel

* add shadow password of mysql/postgres/couchbase

* fix log import
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
5 participants
You can’t perform that action at this time.