Previously, only the first return value of ctx.GetSuperSecureCookie was used to check whether decryption of the auth cookie succeeded. ctx.GetSuperSecureCookie also returns a second value, a boolean, indicating success or not. That value should be checked first to be on the safe side and not rely on internal logic of the encryption and decryption blackbox.tags/v1.9.0-rc1
@@ -71,8 +71,8 @@ func AutoSignIn(ctx *context.Context) (bool, error) { | |||
return false, nil | |||
} | |||
if val, _ := ctx.GetSuperSecureCookie( | |||
base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); val != u.Name { | |||
if val, ok := ctx.GetSuperSecureCookie( | |||
base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name { | |||
return false, nil | |||
} | |||