From 6f2e1bd23ab7670e3bbc76d569b80007ca38af05 Mon Sep 17 00:00:00 2001 From: mrsdizzie Date: Wed, 20 Mar 2019 22:06:16 -0400 Subject: [PATCH] Don't Unescape redirect_to cookie value (#6399) redirect_to holds a value that we want to redirect back to after login. This value can be a path with intentonally escaped values and we should not unescape it. Fixes #4475 --- routers/user/auth.go | 9 ++++----- routers/user/auth_openid.go | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/routers/user/auth.go b/routers/user/auth.go index fc4c358a9..0a24702c1 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -9,7 +9,6 @@ import ( "errors" "fmt" "net/http" - "net/url" "strings" "code.gitea.io/gitea/models" @@ -96,7 +95,7 @@ func checkAutoLogin(ctx *context.Context) bool { if len(redirectTo) > 0 { ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true) } else { - redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to")) + redirectTo = ctx.GetCookie("redirect_to") } if isSucceed { @@ -496,7 +495,7 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR return setting.AppSubURL + "/" } - if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 && !util.IsExternalURL(redirectTo) { + if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !util.IsExternalURL(redirectTo) { ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true) if obeyRedirect { ctx.RedirectToFirst(redirectTo) @@ -587,7 +586,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context return } - if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 { + if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 { ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true) ctx.RedirectToFirst(redirectTo) return @@ -1298,7 +1297,7 @@ func MustChangePasswordPost(ctx *context.Context, cpt *captcha.Captcha, form aut log.Trace("User updated password: %s", u.Name) - if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 && !util.IsExternalURL(redirectTo) { + if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !util.IsExternalURL(redirectTo) { ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL) ctx.RedirectToFirst(redirectTo) return diff --git a/routers/user/auth_openid.go b/routers/user/auth_openid.go index b0e9092c7..8a8a5b730 100644 --- a/routers/user/auth_openid.go +++ b/routers/user/auth_openid.go @@ -47,7 +47,7 @@ func SignInOpenID(ctx *context.Context) { if len(redirectTo) > 0 { ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true) } else { - redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to")) + redirectTo = ctx.GetCookie("redirect_to") } if isSucceed {