summaryrefslogtreecommitdiffstats
path: root/routers/user/auth.go
diff options
context:
space:
mode:
authormrsdizzie <info@mrsdizzie.com>2019-03-20 22:06:16 -0400
committertechknowlogick <matti@mdranta.net>2019-03-20 22:06:16 -0400
commit6f2e1bd23ab7670e3bbc76d569b80007ca38af05 (patch)
tree3c44037ccf5dac3b369fed4fcfc4ef54b2dfc6da /routers/user/auth.go
parent6d345e00e602e991153192d6604ff7c6b23d0b74 (diff)
downloadgitea-6f2e1bd23ab7670e3bbc76d569b80007ca38af05.tar.gz
gitea-6f2e1bd23ab7670e3bbc76d569b80007ca38af05.zip
Don't Unescape redirect_to cookie value (#6399)
redirect_to holds a value that we want to redirect back to after login. This value can be a path with intentonally escaped values and we should not unescape it. Fixes #4475
Diffstat (limited to 'routers/user/auth.go')
-rw-r--r--routers/user/auth.go9
1 files changed, 4 insertions, 5 deletions
diff --git a/routers/user/auth.go b/routers/user/auth.go
index fc4c358a9a..0a24702c17 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -9,7 +9,6 @@ import (
"errors"
"fmt"
"net/http"
- "net/url"
"strings"
"code.gitea.io/gitea/models"
@@ -96,7 +95,7 @@ func checkAutoLogin(ctx *context.Context) bool {
if len(redirectTo) > 0 {
ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
} else {
- redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to"))
+ redirectTo = ctx.GetCookie("redirect_to")
}
if isSucceed {
@@ -496,7 +495,7 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
return setting.AppSubURL + "/"
}
- if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 && !util.IsExternalURL(redirectTo) {
+ if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !util.IsExternalURL(redirectTo) {
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
if obeyRedirect {
ctx.RedirectToFirst(redirectTo)
@@ -587,7 +586,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context
return
}
- if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
+ if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 {
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
ctx.RedirectToFirst(redirectTo)
return
@@ -1298,7 +1297,7 @@ func MustChangePasswordPost(ctx *context.Context, cpt *captcha.Captcha, form aut
log.Trace("User updated password: %s", u.Name)
- if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 && !util.IsExternalURL(redirectTo) {
+ if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !util.IsExternalURL(redirectTo) {
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
ctx.RedirectToFirst(redirectTo)
return