@@ -342,14 +342,15 @@ | |||
revision = "d8a0b8677191f4380287cfebd08e462217bac7ad" | |||
[[projects]] | |||
digest = "1:b327ca585509a889130a8f51f43704a8fe03cb5cd281dbf1bc6405f5a7ea4702" | |||
branch = "master" | |||
digest = "1:8fea5718d84af17762195beb6fe92a0d6c1048452a1dbc464d227f12e0cff0cc" | |||
name = "github.com/go-macaron/session" | |||
packages = [ | |||
".", | |||
"redis", | |||
] | |||
pruneopts = "NUT" | |||
revision = "66031fcb37a0fff002a1f028eb0b3a815c78306b" | |||
revision = "330e4e4d8beb7b00111ac34539561f46f94c4458" | |||
[[projects]] | |||
digest = "1:758d2371fcdee6d02565901b348729053c636055e67ef6e17aa466c7ff6cc57c" |
@@ -86,7 +86,7 @@ func (s *FileStore) Release() error { | |||
return err | |||
} | |||
return ioutil.WriteFile(s.p.filepath(s.sid), data, os.ModePerm) | |||
return ioutil.WriteFile(s.p.filepath(s.sid), data, 0600) | |||
} | |||
// Flush deletes all session data. | |||
@@ -121,7 +121,7 @@ func (p *FileProvider) filepath(sid string) string { | |||
// Read returns raw session store by session ID. | |||
func (p *FileProvider) Read(sid string) (_ RawStore, err error) { | |||
filename := p.filepath(sid) | |||
if err = os.MkdirAll(path.Dir(filename), os.ModePerm); err != nil { | |||
if err = os.MkdirAll(path.Dir(filename), 0700); err != nil { | |||
return nil, err | |||
} | |||
p.lock.RLock() | |||
@@ -129,7 +129,7 @@ func (p *FileProvider) Read(sid string) (_ RawStore, err error) { | |||
var f *os.File | |||
if com.IsFile(filename) { | |||
f, err = os.OpenFile(filename, os.O_RDWR, os.ModePerm) | |||
f, err = os.OpenFile(filename, os.O_RDONLY, 0600) | |||
} else { | |||
f, err = os.Create(filename) | |||
} | |||
@@ -187,15 +187,15 @@ func (p *FileProvider) regenerate(oldsid, sid string) (err error) { | |||
if err != nil { | |||
return err | |||
} | |||
if err = os.MkdirAll(path.Dir(oldname), os.ModePerm); err != nil { | |||
if err = os.MkdirAll(path.Dir(oldname), 0700); err != nil { | |||
return err | |||
} | |||
if err = ioutil.WriteFile(oldname, data, os.ModePerm); err != nil { | |||
if err = ioutil.WriteFile(oldname, data, 0600); err != nil { | |||
return err | |||
} | |||
} | |||
if err = os.MkdirAll(path.Dir(filename), os.ModePerm); err != nil { | |||
if err = os.MkdirAll(path.Dir(filename), 0700); err != nil { | |||
return err | |||
} | |||
if err = os.Rename(oldname, filename); err != nil { |
@@ -18,15 +18,17 @@ package session | |||
import ( | |||
"encoding/hex" | |||
"errors" | |||
"fmt" | |||
"net/http" | |||
"net/url" | |||
"strings" | |||
"time" | |||
"gopkg.in/macaron.v1" | |||
) | |||
const _VERSION = "0.3.0" | |||
const _VERSION = "0.4.0" | |||
func Version() string { | |||
return _VERSION | |||
@@ -245,8 +247,8 @@ func NewManager(name string, opt Options) (*Manager, error) { | |||
return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig) | |||
} | |||
// sessionId generates a new session ID with rand string, unix nano time, remote addr by hash function. | |||
func (m *Manager) sessionId() string { | |||
// sessionID generates a new session ID with rand string, unix nano time, remote addr by hash function. | |||
func (m *Manager) sessionID() string { | |||
return hex.EncodeToString(generateRandomKey(m.opt.IDLength / 2)) | |||
} | |||
@@ -255,10 +257,10 @@ func (m *Manager) sessionId() string { | |||
func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) { | |||
sid := ctx.GetCookie(m.opt.CookieName) | |||
if len(sid) > 0 && m.provider.Exist(sid) { | |||
return m.provider.Read(sid) | |||
return m.Read(sid) | |||
} | |||
sid = m.sessionId() | |||
sid = m.sessionID() | |||
sess, err := m.provider.Read(sid) | |||
if err != nil { | |||
return nil, err | |||
@@ -282,6 +284,12 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) { | |||
// Read returns raw session store by session ID. | |||
func (m *Manager) Read(sid string) (RawStore, error) { | |||
// No slashes or dots "./" should ever occur in the sid and to prevent session file forgery bug. | |||
// See https://github.com/gogs/gogs/issues/5469 | |||
if strings.ContainsAny(sid, "./") { | |||
return nil, errors.New("invalid 'sid': " + sid) | |||
} | |||
return m.provider.Read(sid) | |||
} | |||
@@ -308,7 +316,7 @@ func (m *Manager) Destory(ctx *macaron.Context) error { | |||
// RegenerateId regenerates a session store from old session ID to new one. | |||
func (m *Manager) RegenerateId(ctx *macaron.Context) (sess RawStore, err error) { | |||
sid := m.sessionId() | |||
sid := m.sessionID() | |||
oldsid := ctx.GetCookie(m.opt.CookieName) | |||
sess, err = m.provider.Regenerate(oldsid, sid) | |||
if err != nil { |