diff options
| author | zeripath <art27@cantab.net> | 2022-02-09 07:37:58 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-02-09 15:37:58 +0800 |
| commit | 2f766082214e8f10375a68323e6b7bb1c742775d (patch) | |
| tree | 9fc308fff5a15ce80de33e99278f92a09a329552 /modules | |
| parent | 4160aff86e9e606212e6884063c1d15a3c12985a (diff) | |
| download | gitea-2f766082214e8f10375a68323e6b7bb1c742775d.tar.gz gitea-2f766082214e8f10375a68323e6b7bb1c742775d.zip | |
Prevent security failure due to bad APP_ID (#18678)
WebAuthn may cause a security exception if the provided APP_ID is not allowed for the
current origin. Therefore we should reattempt authentication without the appid
extension.
Also we should allow [u2f] as-well as [U2F] sections.
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/setting/setting.go | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 531d265c3a..cdfa1130f2 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -1061,11 +1061,14 @@ func loadFromConf(allowEmpty bool, extraConfig string) { } // FIXME: DEPRECATED to be removed in v1.18.0 + U2F.AppID = strings.TrimSuffix(AppURL, "/") if Cfg.Section("U2F").HasKey("APP_ID") { log.Error("Deprecated setting `[U2F]` `APP_ID` present. This fallback will be removed in v1.18.0") + U2F.AppID = Cfg.Section("U2F").Key("APP_ID").MustString(strings.TrimSuffix(AppURL, "/")) + } else if Cfg.Section("u2f").HasKey("APP_ID") { + log.Error("Deprecated setting `[u2]` `APP_ID` present. This fallback will be removed in v1.18.0") + U2F.AppID = Cfg.Section("u2f").Key("APP_ID").MustString(strings.TrimSuffix(AppURL, "/")) } - sec = Cfg.Section("U2F") - U2F.AppID = sec.Key("APP_ID").MustString(strings.TrimSuffix(AppURL, "/")) } func parseAuthorizedPrincipalsAllow(values []string) ([]string, bool) { |