diff options
author | zeripath <art27@cantab.net> | 2021-03-07 08:12:43 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-03-07 08:12:43 +0000 |
commit | 9b261f52f074fcc11fd705dae63084364c4f7adf (patch) | |
tree | 587521b6929105a76b288a962316504380c1c494 /routers | |
parent | beed5476e2831f7a0943d484873f4f49dfdd256f (diff) | |
download | gitea-9b261f52f074fcc11fd705dae63084364c4f7adf.tar.gz gitea-9b261f52f074fcc11fd705dae63084364c4f7adf.zip |
Add SameSite setting for cookies (#14900)
Add SameSite setting for cookies and rationalise the cookie setting code. Switches SameSite to Lax by default.
There is a possible future extension of differentiating which cookies could be set at Strict by default but that is for a future PR.
Fix #5583
Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'routers')
-rw-r--r-- | routers/home.go | 3 | ||||
-rw-r--r-- | routers/install.go | 5 | ||||
-rw-r--r-- | routers/user/auth.go | 37 | ||||
-rw-r--r-- | routers/user/auth_openid.go | 5 | ||||
-rw-r--r-- | routers/user/setting/profile.go | 3 |
5 files changed, 29 insertions, 24 deletions
diff --git a/routers/home.go b/routers/home.go index f82ee9808b..6505a4180d 100644 --- a/routers/home.go +++ b/routers/home.go @@ -17,6 +17,7 @@ import ( "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/modules/util" + "code.gitea.io/gitea/modules/web/middleware" "code.gitea.io/gitea/routers/user" ) @@ -46,7 +47,7 @@ func Home(ctx *context.Context) { } else if ctx.User.MustChangePassword { ctx.Data["Title"] = ctx.Tr("auth.must_change_password") ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password" - ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL) + middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI()) ctx.Redirect(setting.AppSubURL + "/user/settings/change_password") } else { user.Dashboard(ctx) diff --git a/routers/install.go b/routers/install.go index cfe5582f2b..7f01738efe 100644 --- a/routers/install.go +++ b/routers/install.go @@ -424,9 +424,10 @@ func InstallPost(ctx *context.Context) { } days := 86400 * setting.LogInRememberDays - ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) + ctx.SetCookie(setting.CookieUserName, u.Name, days) + ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd), - setting.CookieRememberName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) + setting.CookieRememberName, u.Name, days) // Auto-login for admin if err = ctx.Session.Set("uid", u.ID); err != nil { diff --git a/routers/user/auth.go b/routers/user/auth.go index 2d5e7bf449..e5e8cc1151 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -24,6 +24,7 @@ import ( "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/web" + "code.gitea.io/gitea/modules/web/middleware" "code.gitea.io/gitea/routers/utils" "code.gitea.io/gitea/services/externalaccount" "code.gitea.io/gitea/services/mailer" @@ -64,8 +65,8 @@ func AutoSignIn(ctx *context.Context) (bool, error) { defer func() { if !isSucceed { log.Trace("auto-login cookie cleared: %s", uname) - ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) - ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) + ctx.DeleteCookie(setting.CookieUserName) + ctx.DeleteCookie(setting.CookieRememberName) } }() @@ -95,7 +96,7 @@ func AutoSignIn(ctx *context.Context) (bool, error) { return false, err } - ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) + middleware.DeleteCSRFCookie(ctx.Resp) return true, nil } @@ -109,13 +110,13 @@ func checkAutoLogin(ctx *context.Context) bool { redirectTo := ctx.Query("redirect_to") if len(redirectTo) > 0 { - ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true) + middleware.SetRedirectToCookie(ctx.Resp, redirectTo) } else { redirectTo = ctx.GetCookie("redirect_to") } if isSucceed { - ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true) + middleware.DeleteRedirectToCookie(ctx.Resp) ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL)) return true } @@ -497,9 +498,9 @@ func handleSignIn(ctx *context.Context, u *models.User, remember bool) { func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyRedirect bool) string { if remember { days := 86400 * setting.LogInRememberDays - ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) + ctx.SetCookie(setting.CookieUserName, u.Name, days) ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd), - setting.CookieRememberName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) + setting.CookieRememberName, u.Name, days) } _ = ctx.Session.Delete("openid_verified_uri") @@ -530,10 +531,10 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR } } - ctx.SetCookie("lang", u.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) + middleware.SetLocaleCookie(ctx.Resp, u.Language, 0) // Clear whatever CSRF has right now, force to generate a new one - ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) + middleware.DeleteCSRFCookie(ctx.Resp) // Register last login u.SetLastLogin() @@ -543,7 +544,7 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR } if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) { - ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true) + middleware.DeleteRedirectToCookie(ctx.Resp) if obeyRedirect { ctx.RedirectToFirst(redirectTo) } @@ -649,7 +650,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context } // Clear whatever CSRF has right now, force to generate a new one - ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) + middleware.DeleteCSRFCookie(ctx.Resp) // Register last login u.SetLastLogin() @@ -664,7 +665,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context } if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 { - ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true) + middleware.DeleteRedirectToCookie(ctx.Resp) ctx.RedirectToFirst(redirectTo) return } @@ -1042,11 +1043,11 @@ func LinkAccountPostRegister(ctx *context.Context) { func HandleSignOut(ctx *context.Context) { _ = ctx.Session.Flush() _ = ctx.Session.Destroy(ctx.Resp, ctx.Req) - ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) - ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) - ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) - ctx.SetCookie("lang", "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) // Setting the lang cookie will trigger the middleware to reset the language ot previous state. - ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL) // logout default should set redirect to to default + ctx.DeleteCookie(setting.CookieUserName) + ctx.DeleteCookie(setting.CookieRememberName) + middleware.DeleteCSRFCookie(ctx.Resp) + middleware.DeleteLocaleCookie(ctx.Resp) + middleware.DeleteRedirectToCookie(ctx.Resp) } // SignOut sign out from login status @@ -1623,7 +1624,7 @@ func MustChangePasswordPost(ctx *context.Context) { log.Trace("User updated password: %s", u.Name) if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) { - ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL) + middleware.DeleteRedirectToCookie(ctx.Resp) ctx.RedirectToFirst(redirectTo) return } diff --git a/routers/user/auth_openid.go b/routers/user/auth_openid.go index e79085e94d..967e8aad2d 100644 --- a/routers/user/auth_openid.go +++ b/routers/user/auth_openid.go @@ -20,6 +20,7 @@ import ( "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/web" + "code.gitea.io/gitea/modules/web/middleware" "code.gitea.io/gitea/services/mailer" ) @@ -47,13 +48,13 @@ func SignInOpenID(ctx *context.Context) { redirectTo := ctx.Query("redirect_to") if len(redirectTo) > 0 { - ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true) + middleware.SetRedirectToCookie(ctx.Resp, redirectTo) } else { redirectTo = ctx.GetCookie("redirect_to") } if isSucceed { - ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true) + middleware.DeleteRedirectToCookie(ctx.Resp) ctx.RedirectToFirst(redirectTo) return } diff --git a/routers/user/setting/profile.go b/routers/user/setting/profile.go index 7e90a7ccec..38e371196a 100644 --- a/routers/user/setting/profile.go +++ b/routers/user/setting/profile.go @@ -21,6 +21,7 @@ import ( "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/web" + "code.gitea.io/gitea/modules/web/middleware" "github.com/unknwon/i18n" ) @@ -116,7 +117,7 @@ func ProfilePost(ctx *context.Context) { } // Update the language to the one we just set - ctx.SetCookie("lang", ctx.User.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) + middleware.SetLocaleCookie(ctx.Resp, ctx.User.Language, 0) log.Trace("User settings updated: %s", ctx.User.Name) ctx.Flash.Success(i18n.Tr(ctx.User.Language, "settings.update_profile_success")) |