Update go-macaron/session to latest mast to fix RCE-bug (#5195)
This commit is contained in:
parent
4d66de684f
commit
582213a858
3 changed files with 23 additions and 14 deletions
5
Gopkg.lock
generated
5
Gopkg.lock
generated
|
@ -342,14 +342,15 @@
|
||||||
revision = "d8a0b8677191f4380287cfebd08e462217bac7ad"
|
revision = "d8a0b8677191f4380287cfebd08e462217bac7ad"
|
||||||
|
|
||||||
[[projects]]
|
[[projects]]
|
||||||
digest = "1:b327ca585509a889130a8f51f43704a8fe03cb5cd281dbf1bc6405f5a7ea4702"
|
branch = "master"
|
||||||
|
digest = "1:8fea5718d84af17762195beb6fe92a0d6c1048452a1dbc464d227f12e0cff0cc"
|
||||||
name = "github.com/go-macaron/session"
|
name = "github.com/go-macaron/session"
|
||||||
packages = [
|
packages = [
|
||||||
".",
|
".",
|
||||||
"redis",
|
"redis",
|
||||||
]
|
]
|
||||||
pruneopts = "NUT"
|
pruneopts = "NUT"
|
||||||
revision = "66031fcb37a0fff002a1f028eb0b3a815c78306b"
|
revision = "330e4e4d8beb7b00111ac34539561f46f94c4458"
|
||||||
|
|
||||||
[[projects]]
|
[[projects]]
|
||||||
digest = "1:758d2371fcdee6d02565901b348729053c636055e67ef6e17aa466c7ff6cc57c"
|
digest = "1:758d2371fcdee6d02565901b348729053c636055e67ef6e17aa466c7ff6cc57c"
|
||||||
|
|
12
vendor/github.com/go-macaron/session/file.go
generated
vendored
12
vendor/github.com/go-macaron/session/file.go
generated
vendored
|
@ -86,7 +86,7 @@ func (s *FileStore) Release() error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
return ioutil.WriteFile(s.p.filepath(s.sid), data, os.ModePerm)
|
return ioutil.WriteFile(s.p.filepath(s.sid), data, 0600)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Flush deletes all session data.
|
// Flush deletes all session data.
|
||||||
|
@ -121,7 +121,7 @@ func (p *FileProvider) filepath(sid string) string {
|
||||||
// Read returns raw session store by session ID.
|
// Read returns raw session store by session ID.
|
||||||
func (p *FileProvider) Read(sid string) (_ RawStore, err error) {
|
func (p *FileProvider) Read(sid string) (_ RawStore, err error) {
|
||||||
filename := p.filepath(sid)
|
filename := p.filepath(sid)
|
||||||
if err = os.MkdirAll(path.Dir(filename), os.ModePerm); err != nil {
|
if err = os.MkdirAll(path.Dir(filename), 0700); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
p.lock.RLock()
|
p.lock.RLock()
|
||||||
|
@ -129,7 +129,7 @@ func (p *FileProvider) Read(sid string) (_ RawStore, err error) {
|
||||||
|
|
||||||
var f *os.File
|
var f *os.File
|
||||||
if com.IsFile(filename) {
|
if com.IsFile(filename) {
|
||||||
f, err = os.OpenFile(filename, os.O_RDWR, os.ModePerm)
|
f, err = os.OpenFile(filename, os.O_RDONLY, 0600)
|
||||||
} else {
|
} else {
|
||||||
f, err = os.Create(filename)
|
f, err = os.Create(filename)
|
||||||
}
|
}
|
||||||
|
@ -187,15 +187,15 @@ func (p *FileProvider) regenerate(oldsid, sid string) (err error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err = os.MkdirAll(path.Dir(oldname), os.ModePerm); err != nil {
|
if err = os.MkdirAll(path.Dir(oldname), 0700); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err = ioutil.WriteFile(oldname, data, os.ModePerm); err != nil {
|
if err = ioutil.WriteFile(oldname, data, 0600); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if err = os.MkdirAll(path.Dir(filename), os.ModePerm); err != nil {
|
if err = os.MkdirAll(path.Dir(filename), 0700); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err = os.Rename(oldname, filename); err != nil {
|
if err = os.Rename(oldname, filename); err != nil {
|
||||||
|
|
20
vendor/github.com/go-macaron/session/session.go
generated
vendored
20
vendor/github.com/go-macaron/session/session.go
generated
vendored
|
@ -18,15 +18,17 @@ package session
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"gopkg.in/macaron.v1"
|
"gopkg.in/macaron.v1"
|
||||||
)
|
)
|
||||||
|
|
||||||
const _VERSION = "0.3.0"
|
const _VERSION = "0.4.0"
|
||||||
|
|
||||||
func Version() string {
|
func Version() string {
|
||||||
return _VERSION
|
return _VERSION
|
||||||
|
@ -245,8 +247,8 @@ func NewManager(name string, opt Options) (*Manager, error) {
|
||||||
return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig)
|
return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig)
|
||||||
}
|
}
|
||||||
|
|
||||||
// sessionId generates a new session ID with rand string, unix nano time, remote addr by hash function.
|
// sessionID generates a new session ID with rand string, unix nano time, remote addr by hash function.
|
||||||
func (m *Manager) sessionId() string {
|
func (m *Manager) sessionID() string {
|
||||||
return hex.EncodeToString(generateRandomKey(m.opt.IDLength / 2))
|
return hex.EncodeToString(generateRandomKey(m.opt.IDLength / 2))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -255,10 +257,10 @@ func (m *Manager) sessionId() string {
|
||||||
func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {
|
func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {
|
||||||
sid := ctx.GetCookie(m.opt.CookieName)
|
sid := ctx.GetCookie(m.opt.CookieName)
|
||||||
if len(sid) > 0 && m.provider.Exist(sid) {
|
if len(sid) > 0 && m.provider.Exist(sid) {
|
||||||
return m.provider.Read(sid)
|
return m.Read(sid)
|
||||||
}
|
}
|
||||||
|
|
||||||
sid = m.sessionId()
|
sid = m.sessionID()
|
||||||
sess, err := m.provider.Read(sid)
|
sess, err := m.provider.Read(sid)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -282,6 +284,12 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {
|
||||||
|
|
||||||
// Read returns raw session store by session ID.
|
// Read returns raw session store by session ID.
|
||||||
func (m *Manager) Read(sid string) (RawStore, error) {
|
func (m *Manager) Read(sid string) (RawStore, error) {
|
||||||
|
// No slashes or dots "./" should ever occur in the sid and to prevent session file forgery bug.
|
||||||
|
// See https://github.com/gogs/gogs/issues/5469
|
||||||
|
if strings.ContainsAny(sid, "./") {
|
||||||
|
return nil, errors.New("invalid 'sid': " + sid)
|
||||||
|
}
|
||||||
|
|
||||||
return m.provider.Read(sid)
|
return m.provider.Read(sid)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -308,7 +316,7 @@ func (m *Manager) Destory(ctx *macaron.Context) error {
|
||||||
|
|
||||||
// RegenerateId regenerates a session store from old session ID to new one.
|
// RegenerateId regenerates a session store from old session ID to new one.
|
||||||
func (m *Manager) RegenerateId(ctx *macaron.Context) (sess RawStore, err error) {
|
func (m *Manager) RegenerateId(ctx *macaron.Context) (sess RawStore, err error) {
|
||||||
sid := m.sessionId()
|
sid := m.sessionID()
|
||||||
oldsid := ctx.GetCookie(m.opt.CookieName)
|
oldsid := ctx.GetCookie(m.opt.CookieName)
|
||||||
sess, err = m.provider.Regenerate(oldsid, sid)
|
sess, err = m.provider.Regenerate(oldsid, sid)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
Reference in a new issue