aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2019-01-12 19:24:47 +0000
committertechknowlogick <hello@techknowlogick.com>2019-01-12 14:24:47 -0500
commit2b36bdd4902aa7ee93e15eee961d6a8a4a26e81c (patch)
treede7f360ec4c613c4032f62b27986bb27ff78b8d1
parentbf7a11254d4ee87ef7725eae99652866bdab8a05 (diff)
downloadgitea-2b36bdd4902aa7ee93e15eee961d6a8a4a26e81c.tar.gz
gitea-2b36bdd4902aa7ee93e15eee961d6a8a4a26e81c.zip
Do not display the raw OpenID error in the UI (#5705)
* Do not display the raw OpenID error in the UI If there are no `WHITELIST_URIS` or `BLACKLIST_URIS` set in the openid section of the app.ini, it is possible that gitea can leak sensitive information about the local network through the error provided by the UI. This PR hides the error information and logs it. Fix #4973 Signed-off-by: Andrew Thornton <art27@cantab.net> * Update auth_openid.go Place error log within the `err != nil` branch.
-rw-r--r--routers/user/auth_openid.go3
1 files changed, 2 insertions, 1 deletions
diff --git a/routers/user/auth_openid.go b/routers/user/auth_openid.go
index 2c5c36a3bc..b0e9092c78 100644
--- a/routers/user/auth_openid.go
+++ b/routers/user/auth_openid.go
@@ -115,7 +115,8 @@ func SignInOpenIDPost(ctx *context.Context, form auth.SignInOpenIDForm) {
redirectTo := setting.AppURL + "user/login/openid"
url, err := openid.RedirectURL(id, redirectTo, setting.AppURL)
if err != nil {
- ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)
+ log.Error(1, "Error in OpenID redirect URL: %s, %v", redirectTo, err.Error())
+ ctx.RenderWithErr(fmt.Sprintf("Unable to find OpenID provider in %s", redirectTo), tplSignInOpenID, &form)
return
}