summaryrefslogtreecommitdiffstats
path: root/modules/setting
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2022-02-09 07:37:58 +0000
committerGitHub <noreply@github.com>2022-02-09 15:37:58 +0800
commit2f766082214e8f10375a68323e6b7bb1c742775d (patch)
tree9fc308fff5a15ce80de33e99278f92a09a329552 /modules/setting
parent4160aff86e9e606212e6884063c1d15a3c12985a (diff)
downloadgitea-2f766082214e8f10375a68323e6b7bb1c742775d.tar.gz
gitea-2f766082214e8f10375a68323e6b7bb1c742775d.zip
Prevent security failure due to bad APP_ID (#18678)
WebAuthn may cause a security exception if the provided APP_ID is not allowed for the current origin. Therefore we should reattempt authentication without the appid extension. Also we should allow [u2f] as-well as [U2F] sections. Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Diffstat (limited to 'modules/setting')
-rw-r--r--modules/setting/setting.go7
1 files changed, 5 insertions, 2 deletions
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index 531d265c3a..cdfa1130f2 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -1061,11 +1061,14 @@ func loadFromConf(allowEmpty bool, extraConfig string) {
}
// FIXME: DEPRECATED to be removed in v1.18.0
+ U2F.AppID = strings.TrimSuffix(AppURL, "/")
if Cfg.Section("U2F").HasKey("APP_ID") {
log.Error("Deprecated setting `[U2F]` `APP_ID` present. This fallback will be removed in v1.18.0")
+ U2F.AppID = Cfg.Section("U2F").Key("APP_ID").MustString(strings.TrimSuffix(AppURL, "/"))
+ } else if Cfg.Section("u2f").HasKey("APP_ID") {
+ log.Error("Deprecated setting `[u2]` `APP_ID` present. This fallback will be removed in v1.18.0")
+ U2F.AppID = Cfg.Section("u2f").Key("APP_ID").MustString(strings.TrimSuffix(AppURL, "/"))
}
- sec = Cfg.Section("U2F")
- U2F.AppID = sec.Key("APP_ID").MustString(strings.TrimSuffix(AppURL, "/"))
}
func parseAuthorizedPrincipalsAllow(values []string) ([]string, bool) {