revision = "d8a0b8677191f4380287cfebd08e462217bac7ad"
[[projects]]
- digest = "1:b327ca585509a889130a8f51f43704a8fe03cb5cd281dbf1bc6405f5a7ea4702"
+ branch = "master"
+ digest = "1:8fea5718d84af17762195beb6fe92a0d6c1048452a1dbc464d227f12e0cff0cc"
name = "github.com/go-macaron/session"
packages = [
".",
"redis",
]
pruneopts = "NUT"
- revision = "66031fcb37a0fff002a1f028eb0b3a815c78306b"
+ revision = "330e4e4d8beb7b00111ac34539561f46f94c4458"
[[projects]]
digest = "1:758d2371fcdee6d02565901b348729053c636055e67ef6e17aa466c7ff6cc57c"
return err
}
- return ioutil.WriteFile(s.p.filepath(s.sid), data, os.ModePerm)
+ return ioutil.WriteFile(s.p.filepath(s.sid), data, 0600)
}
// Flush deletes all session data.
// Read returns raw session store by session ID.
func (p *FileProvider) Read(sid string) (_ RawStore, err error) {
filename := p.filepath(sid)
- if err = os.MkdirAll(path.Dir(filename), os.ModePerm); err != nil {
+ if err = os.MkdirAll(path.Dir(filename), 0700); err != nil {
return nil, err
}
p.lock.RLock()
var f *os.File
if com.IsFile(filename) {
- f, err = os.OpenFile(filename, os.O_RDWR, os.ModePerm)
+ f, err = os.OpenFile(filename, os.O_RDONLY, 0600)
} else {
f, err = os.Create(filename)
}
if err != nil {
return err
}
- if err = os.MkdirAll(path.Dir(oldname), os.ModePerm); err != nil {
+ if err = os.MkdirAll(path.Dir(oldname), 0700); err != nil {
return err
}
- if err = ioutil.WriteFile(oldname, data, os.ModePerm); err != nil {
+ if err = ioutil.WriteFile(oldname, data, 0600); err != nil {
return err
}
}
- if err = os.MkdirAll(path.Dir(filename), os.ModePerm); err != nil {
+ if err = os.MkdirAll(path.Dir(filename), 0700); err != nil {
return err
}
if err = os.Rename(oldname, filename); err != nil {
import (
"encoding/hex"
+ "errors"
"fmt"
"net/http"
"net/url"
+ "strings"
"time"
"gopkg.in/macaron.v1"
)
-const _VERSION = "0.3.0"
+const _VERSION = "0.4.0"
func Version() string {
return _VERSION
return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig)
}
-// sessionId generates a new session ID with rand string, unix nano time, remote addr by hash function.
-func (m *Manager) sessionId() string {
+// sessionID generates a new session ID with rand string, unix nano time, remote addr by hash function.
+func (m *Manager) sessionID() string {
return hex.EncodeToString(generateRandomKey(m.opt.IDLength / 2))
}
func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {
sid := ctx.GetCookie(m.opt.CookieName)
if len(sid) > 0 && m.provider.Exist(sid) {
- return m.provider.Read(sid)
+ return m.Read(sid)
}
- sid = m.sessionId()
+ sid = m.sessionID()
sess, err := m.provider.Read(sid)
if err != nil {
return nil, err
// Read returns raw session store by session ID.
func (m *Manager) Read(sid string) (RawStore, error) {
+ // No slashes or dots "./" should ever occur in the sid and to prevent session file forgery bug.
+ // See https://github.com/gogs/gogs/issues/5469
+ if strings.ContainsAny(sid, "./") {
+ return nil, errors.New("invalid 'sid': " + sid)
+ }
+
return m.provider.Read(sid)
}
// RegenerateId regenerates a session store from old session ID to new one.
func (m *Manager) RegenerateId(ctx *macaron.Context) (sess RawStore, err error) {
- sid := m.sessionId()
+ sid := m.sessionID()
oldsid := ctx.GetCookie(m.opt.CookieName)
sess, err = m.provider.Regenerate(oldsid, sid)
if err != nil {
projects / gitea.git / commitdiff