Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

routers/user: ensure that decryption of cookie actually suceeds #7363

Merged

Conversation

@leonklingele
Copy link
Contributor

commented Jul 5, 2019

Previously, only the first return value of ctx.GetSuperSecureCookie
was used to check whether decryption of the auth cookie succeeded.
ctx.GetSuperSecureCookie also returns a second value, a boolean,
indicating success or not. That value should be checked first to
be on the safe side and not rely on internal logic of the encryption
and decryption blackbox.

routers/user: ensure that decryption of cookie actually suceeds
Previously, only the first return value of ctx.GetSuperSecureCookie
was used to check whether decryption of the auth cookie succeeded.
ctx.GetSuperSecureCookie also returns a second value, a boolean,
indicating success or not. That value should be checked first to
be on the safe side and not rely on internal logic of the encryption
and decryption blackbox.

@leonklingele leonklingele force-pushed the leonklingele:security-auth-check-cookie-decrypt-success branch from a1553b3 to f6085e4 Jul 5, 2019

@leonklingele leonklingele changed the title routers/users: ensure that decryption of cookie actually suceeds routers/user: ensure that decryption of cookie actually suceeds Jul 5, 2019

@leonklingele

This comment has been minimized.

Copy link
Contributor Author

commented Jul 5, 2019

Fixed typo in commit message.

@GiteaBot GiteaBot added the lgtm/need 2 label Jul 5, 2019

@lunny

lunny approved these changes Jul 6, 2019

@GiteaBot GiteaBot added lgtm/need 1 and removed lgtm/need 2 labels Jul 6, 2019

@GiteaBot GiteaBot added lgtm/done and removed lgtm/need 1 labels Jul 6, 2019

@lunny

This comment has been minimized.

Copy link
Member

commented Jul 6, 2019

make LGTM work

@lunny lunny merged commit 96b66e3 into go-gitea:master Jul 6, 2019

2 checks passed

approvals/lgtm this commit looks good
continuous-integration/drone/pr Build is passing
Details

@lafriks lafriks added the kind/bug label Jul 6, 2019

@lafriks lafriks added this to the 1.9.0 milestone Jul 6, 2019

jeffliu27 added a commit to jeffliu27/gitea that referenced this pull request Jul 18, 2019

routers/user: ensure that decryption of cookie actually suceeds (go-g…
…itea#7363)

Previously, only the first return value of ctx.GetSuperSecureCookie
was used to check whether decryption of the auth cookie succeeded.
ctx.GetSuperSecureCookie also returns a second value, a boolean,
indicating success or not. That value should be checked first to
be on the safe side and not rely on internal logic of the encryption
and decryption blackbox.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
5 participants
You can’t perform that action at this time.