aboutsummaryrefslogtreecommitdiffstats
path: root/modules/web
diff options
context:
space:
mode:
authorJason Song <i@wolfogre.com>2024-04-19 12:03:53 +0800
committerGitHub <noreply@github.com>2024-04-19 04:03:53 +0000
commit61457cdf6b49225ae831fd9fb084deadd8bdb0fb (patch)
treed910b41d1165ec7cea8ef3a24e8033532a5609f0 /modules/web
parentacfe29fc2bcc5261676868c8fdd6dc0def178d1e (diff)
downloadgitea-61457cdf6b49225ae831fd9fb084deadd8bdb0fb.tar.gz
gitea-61457cdf6b49225ae831fd9fb084deadd8bdb0fb.zip
Avoid importing `modules/web/middleware` in `modules/session` (#30584)
Related to #30375. It doesn't make sense to import `modules/web/middleware` and `modules/setting` in `modules/web/session` since the last one is more low-level. And it looks like a workaround to call `DeleteLegacySiteCookie` in `RegenerateSession`, so maybe we could reverse the importing by registering hook functions.
Diffstat (limited to 'modules/web')
-rw-r--r--modules/web/middleware/cookie.go15
1 files changed, 12 insertions, 3 deletions
diff --git a/modules/web/middleware/cookie.go b/modules/web/middleware/cookie.go
index 0bed726793..ec6b06f993 100644
--- a/modules/web/middleware/cookie.go
+++ b/modules/web/middleware/cookie.go
@@ -9,6 +9,7 @@ import (
"net/url"
"strings"
+ "code.gitea.io/gitea/modules/session"
"code.gitea.io/gitea/modules/setting"
)
@@ -48,12 +49,12 @@ func SetSiteCookie(resp http.ResponseWriter, name, value string, maxAge int) {
// Previous versions would use a cookie path with a trailing /.
// These are more specific than cookies without a trailing /, so
// we need to delete these if they exist.
- DeleteLegacySiteCookie(resp, name)
+ deleteLegacySiteCookie(resp, name)
}
-// DeleteLegacySiteCookie deletes the cookie with the given name at the cookie
+// deleteLegacySiteCookie deletes the cookie with the given name at the cookie
// path with a trailing /, which would unintentionally override the cookie.
-func DeleteLegacySiteCookie(resp http.ResponseWriter, name string) {
+func deleteLegacySiteCookie(resp http.ResponseWriter, name string) {
if setting.SessionConfig.CookiePath == "" || strings.HasSuffix(setting.SessionConfig.CookiePath, "/") {
// If the cookie path ends with /, no legacy cookies will take
// precedence, so do nothing. The exception is that cookies with no
@@ -74,3 +75,11 @@ func DeleteLegacySiteCookie(resp http.ResponseWriter, name string) {
}
resp.Header().Add("Set-Cookie", cookie.String())
}
+
+func init() {
+ session.BeforeRegenerateSession = append(session.BeforeRegenerateSession, func(resp http.ResponseWriter, _ *http.Request) {
+ // Ensure that a cookie with a trailing slash does not take precedence over
+ // the cookie written by the middleware.
+ deleteLegacySiteCookie(resp, setting.SessionConfig.CookieName)
+ })
+}