diff options
| author | leonklingele <5585491+leonklingele@users.noreply.github.com> | 2019-07-06 17:47:09 +0200 |
|---|---|---|
| committer | Lunny Xiao <xiaolunwen@gmail.com> | 2019-07-06 23:47:09 +0800 |
| commit | 96b66e330b9a592093799a50219c8118de6951eb (patch) | |
| tree | 79ed19b4df12906d4da94bdc06c02476ef377c1a | |
| parent | 86750325c76ec18c253fabd4aeed72caca0ee946 (diff) | |
| download | gitea-96b66e330b9a592093799a50219c8118de6951eb.tar.gz gitea-96b66e330b9a592093799a50219c8118de6951eb.zip | |
routers/user: ensure that decryption of cookie actually suceeds (#7363)
Previously, only the first return value of ctx.GetSuperSecureCookie
was used to check whether decryption of the auth cookie succeeded.
ctx.GetSuperSecureCookie also returns a second value, a boolean,
indicating success or not. That value should be checked first to
be on the safe side and not rely on internal logic of the encryption
and decryption blackbox.
| -rw-r--r-- | routers/user/auth.go | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/routers/user/auth.go b/routers/user/auth.go index 0731e34675..576f630577 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -71,8 +71,8 @@ func AutoSignIn(ctx *context.Context) (bool, error) { return false, nil } - if val, _ := ctx.GetSuperSecureCookie( - base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); val != u.Name { + if val, ok := ctx.GetSuperSecureCookie( + base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name { return false, nil } |