From 017f314b5a0f930b477efa1c2a5309f8cdd6d3c3 Mon Sep 17 00:00:00 2001 From: zeripath Date: Tue, 24 Dec 2019 00:11:12 +0000 Subject: [PATCH] Use Req.URL.RequestURI() to cope with FCGI urls (#9473) * Use Req.URL.RequestURI() to cope with FCGI urls * Add debug logging statement when forbidden in internal API. --- docs/content/doc/advanced/config-cheat-sheet.en-us.md | 2 +- .../doc/advanced/logging-documentation.en-us.md | 2 +- modules/context/auth.go | 8 ++++---- modules/context/permission.go | 10 +++++----- modules/setting/log.go | 2 +- routers/home.go | 2 +- routers/private/internal.go | 2 ++ routers/routes/routes.go | 4 ++-- 8 files changed, 17 insertions(+), 15 deletions(-) diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index c059fe55b5..e71fb1b3bc 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -410,7 +410,7 @@ relation to port exhaustion. NB: You must `REDIRECT_MACARON_LOG` and have `DISABLE_ROUTER_LOG` set to `false` for this option to take effect. Configure each mode in per mode log subsections `\[log.modename.router\]`. - `ENABLE_ACCESS_LOG`: **false**: Creates an access.log in NCSA common log format, or as per the following template - `ACCESS`: **file**: Logging mode for the access logger, use a comma to separate values. Configure each mode in per mode log subsections `\[log.modename.access\]`. By default the file mode will log to `$ROOT_PATH/access.log`. (If you set this to `,` it will log to the default gitea logger.) -- `ACCESS_LOG_TEMPLATE`: **`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`**: Sets the template used to create the access log. +- `ACCESS_LOG_TEMPLATE`: **`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`**: Sets the template used to create the access log. - The following variables are available: - `Ctx`: the `macaron.Context` of the request. - `Identity`: the SignedUserName or `"-"` if not logged in. diff --git a/docs/content/doc/advanced/logging-documentation.en-us.md b/docs/content/doc/advanced/logging-documentation.en-us.md index 790e750084..73c8d5dcbc 100644 --- a/docs/content/doc/advanced/logging-documentation.en-us.md +++ b/docs/content/doc/advanced/logging-documentation.en-us.md @@ -143,7 +143,7 @@ log using the value: `ACCESS = ,` This value represent a go template. It's default value is: -`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"` +`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"` The template is passed following options: diff --git a/modules/context/auth.go b/modules/context/auth.go index be63720035..7410db75a5 100644 --- a/modules/context/auth.go +++ b/modules/context/auth.go @@ -49,7 +49,7 @@ func Toggle(options *ToggleOptions) macaron.Handler { if ctx.Req.URL.Path != "/user/settings/change_password" { ctx.Data["Title"] = ctx.Tr("auth.must_change_password") ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password" - ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.RequestURI, 0, setting.AppSubURL) + ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL) ctx.Redirect(setting.AppSubURL + "/user/settings/change_password") return } @@ -61,7 +61,7 @@ func Toggle(options *ToggleOptions) macaron.Handler { } // Redirect to dashboard if user tries to visit any non-login page. - if options.SignOutRequired && ctx.IsSigned && ctx.Req.RequestURI != "/" { + if options.SignOutRequired && ctx.IsSigned && ctx.Req.URL.RequestURI() != "/" { ctx.Redirect(setting.AppSubURL + "/") return } @@ -83,7 +83,7 @@ func Toggle(options *ToggleOptions) macaron.Handler { return } - ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.RequestURI, 0, setting.AppSubURL) + ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL) ctx.Redirect(setting.AppSubURL + "/user/login") return } else if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm { @@ -118,7 +118,7 @@ func Toggle(options *ToggleOptions) macaron.Handler { // Redirect to log in page if auto-signin info is provided and has not signed in. if !options.SignOutRequired && !ctx.IsSigned && !auth.IsAPIPath(ctx.Req.URL.Path) && len(ctx.GetCookie(setting.CookieUserName)) > 0 { - ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.RequestURI, 0, setting.AppSubURL) + ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL) ctx.Redirect(setting.AppSubURL + "/user/login") return } diff --git a/modules/context/permission.go b/modules/context/permission.go index f2adf896f9..151be9f832 100644 --- a/modules/context/permission.go +++ b/modules/context/permission.go @@ -15,7 +15,7 @@ import ( func RequireRepoAdmin() macaron.Handler { return func(ctx *Context) { if !ctx.IsSigned || !ctx.Repo.IsAdmin() { - ctx.NotFound(ctx.Req.RequestURI, nil) + ctx.NotFound(ctx.Req.URL.RequestURI(), nil) return } } @@ -25,7 +25,7 @@ func RequireRepoAdmin() macaron.Handler { func RequireRepoWriter(unitType models.UnitType) macaron.Handler { return func(ctx *Context) { if !ctx.Repo.CanWrite(unitType) { - ctx.NotFound(ctx.Req.RequestURI, nil) + ctx.NotFound(ctx.Req.URL.RequestURI(), nil) return } } @@ -39,7 +39,7 @@ func RequireRepoWriterOr(unitTypes ...models.UnitType) macaron.Handler { return } } - ctx.NotFound(ctx.Req.RequestURI, nil) + ctx.NotFound(ctx.Req.URL.RequestURI(), nil) } } @@ -63,7 +63,7 @@ func RequireRepoReader(unitType models.UnitType) macaron.Handler { ctx.Repo.Permission) } } - ctx.NotFound(ctx.Req.RequestURI, nil) + ctx.NotFound(ctx.Req.URL.RequestURI(), nil) return } } @@ -96,6 +96,6 @@ func RequireRepoReaderOr(unitTypes ...models.UnitType) macaron.Handler { args = append(args, ctx.Repo.Repository, ctx.Repo.Permission) log.Trace(format, args...) } - ctx.NotFound(ctx.Req.RequestURI, nil) + ctx.NotFound(ctx.Req.URL.RequestURI(), nil) } } diff --git a/modules/setting/log.go b/modules/setting/log.go index 5a54a8688e..e7a4658006 100644 --- a/modules/setting/log.go +++ b/modules/setting/log.go @@ -204,7 +204,7 @@ func newMacaronLogService() { func newAccessLogService() { EnableAccessLog = Cfg.Section("log").Key("ENABLE_ACCESS_LOG").MustBool(false) AccessLogTemplate = Cfg.Section("log").Key("ACCESS_LOG_TEMPLATE").MustString( - `{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`) + `{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`) Cfg.Section("log").Key("ACCESS").MustString("file") if EnableAccessLog { options := newDefaultLogOptions() diff --git a/routers/home.go b/routers/home.go index 4d4bfa5620..d223054f4c 100644 --- a/routers/home.go +++ b/routers/home.go @@ -45,7 +45,7 @@ func Home(ctx *context.Context) { } else if ctx.User.MustChangePassword { ctx.Data["Title"] = ctx.Tr("auth.must_change_password") ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password" - ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.RequestURI, 0, setting.AppSubURL) + ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL) ctx.Redirect(setting.AppSubURL + "/user/settings/change_password") } else { user.Dashboard(ctx) diff --git a/routers/private/internal.go b/routers/private/internal.go index cfbad19678..dafcd88822 100644 --- a/routers/private/internal.go +++ b/routers/private/internal.go @@ -9,6 +9,7 @@ import ( "strings" "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" "gitea.com/macaron/macaron" @@ -19,6 +20,7 @@ func CheckInternalToken(ctx *macaron.Context) { tokens := ctx.Req.Header.Get("Authorization") fields := strings.Fields(tokens) if len(fields) != 2 || fields[0] != "Bearer" || fields[1] != setting.InternalToken { + log.Debug("Forbidden attempt to access internal url: Authorization header: %s", tokens) ctx.Error(403) } } diff --git a/routers/routes/routes.go b/routers/routes/routes.go index cb4fadbcdb..c434c42263 100644 --- a/routers/routes/routes.go +++ b/routers/routes/routes.go @@ -97,13 +97,13 @@ func RouterHandler(level log.Level) func(ctx *macaron.Context) { return func(ctx *macaron.Context) { start := time.Now() - _ = log.GetLogger("router").Log(0, level, "Started %s %s for %s", log.ColoredMethod(ctx.Req.Method), ctx.Req.RequestURI, ctx.RemoteAddr()) + _ = log.GetLogger("router").Log(0, level, "Started %s %s for %s", log.ColoredMethod(ctx.Req.Method), ctx.Req.URL.RequestURI(), ctx.RemoteAddr()) rw := ctx.Resp.(macaron.ResponseWriter) ctx.Next() status := rw.Status() - _ = log.GetLogger("router").Log(0, level, "Completed %s %s %v %s in %v", log.ColoredMethod(ctx.Req.Method), ctx.Req.RequestURI, log.ColoredStatus(status), log.ColoredStatus(status, http.StatusText(rw.Status())), log.ColoredTime(time.Since(start))) + _ = log.GetLogger("router").Log(0, level, "Completed %s %s %v %s in %v", log.ColoredMethod(ctx.Req.Method), ctx.Req.URL.RequestURI(), log.ColoredStatus(status), log.ColoredStatus(status, http.StatusText(rw.Status())), log.ColoredTime(time.Since(start))) } }