Kim "BKC" Carlbäcker
Lunny Xiao
7 years ago
3 changed files with 23 additions and 14 deletions
Split View
Diff Options
-
+3 -2Gopkg.lock
-
+6 -6vendor/github.com/go-macaron/session/file.go
-
+14 -6vendor/github.com/go-macaron/session/session.go
+ 3
- 2
Gopkg.lock
View File
| @@ -342,14 +342,15 @@ | |||
| revision = "d8a0b8677191f4380287cfebd08e462217bac7ad" | |||
| [[projects]] | |||
| digest = "1:b327ca585509a889130a8f51f43704a8fe03cb5cd281dbf1bc6405f5a7ea4702" | |||
| branch = "master" | |||
| digest = "1:8fea5718d84af17762195beb6fe92a0d6c1048452a1dbc464d227f12e0cff0cc" | |||
| name = "github.com/go-macaron/session" | |||
| packages = [ | |||
| ".", | |||
| "redis", | |||
| ] | |||
| pruneopts = "NUT" | |||
| revision = "66031fcb37a0fff002a1f028eb0b3a815c78306b" | |||
| revision = "330e4e4d8beb7b00111ac34539561f46f94c4458" | |||
| [[projects]] | |||
| digest = "1:758d2371fcdee6d02565901b348729053c636055e67ef6e17aa466c7ff6cc57c" | |||
+ 6
- 6
vendor/github.com/go-macaron/session/file.go
View File
| @@ -86,7 +86,7 @@ func (s *FileStore) Release() error { | |||
| return err | |||
| } | |||
| return ioutil.WriteFile(s.p.filepath(s.sid), data, os.ModePerm) | |||
| return ioutil.WriteFile(s.p.filepath(s.sid), data, 0600) | |||
| } | |||
| // Flush deletes all session data. | |||
| @@ -121,7 +121,7 @@ func (p *FileProvider) filepath(sid string) string { | |||
| // Read returns raw session store by session ID. | |||
| func (p *FileProvider) Read(sid string) (_ RawStore, err error) { | |||
| filename := p.filepath(sid) | |||
| if err = os.MkdirAll(path.Dir(filename), os.ModePerm); err != nil { | |||
| if err = os.MkdirAll(path.Dir(filename), 0700); err != nil { | |||
| return nil, err | |||
| } | |||
| p.lock.RLock() | |||
| @@ -129,7 +129,7 @@ func (p *FileProvider) Read(sid string) (_ RawStore, err error) { | |||
| var f *os.File | |||
| if com.IsFile(filename) { | |||
| f, err = os.OpenFile(filename, os.O_RDWR, os.ModePerm) | |||
| f, err = os.OpenFile(filename, os.O_RDONLY, 0600) | |||
| } else { | |||
| f, err = os.Create(filename) | |||
| } | |||
| @@ -187,15 +187,15 @@ func (p *FileProvider) regenerate(oldsid, sid string) (err error) { | |||
| if err != nil { | |||
| return err | |||
| } | |||
| if err = os.MkdirAll(path.Dir(oldname), os.ModePerm); err != nil { | |||
| if err = os.MkdirAll(path.Dir(oldname), 0700); err != nil { | |||
| return err | |||
| } | |||
| if err = ioutil.WriteFile(oldname, data, os.ModePerm); err != nil { | |||
| if err = ioutil.WriteFile(oldname, data, 0600); err != nil { | |||
| return err | |||
| } | |||
| } | |||
| if err = os.MkdirAll(path.Dir(filename), os.ModePerm); err != nil { | |||
| if err = os.MkdirAll(path.Dir(filename), 0700); err != nil { | |||
| return err | |||
| } | |||
| if err = os.Rename(oldname, filename); err != nil { | |||
+ 14
- 6
vendor/github.com/go-macaron/session/session.go
View File
| @@ -18,15 +18,17 @@ package session | |||
| import ( | |||
| "encoding/hex" | |||
| "errors" | |||
| "fmt" | |||
| "net/http" | |||
| "net/url" | |||
| "strings" | |||
| "time" | |||
| "gopkg.in/macaron.v1" | |||
| ) | |||
| const _VERSION = "0.3.0" | |||
| const _VERSION = "0.4.0" | |||
| func Version() string { | |||
| return _VERSION | |||
| @@ -245,8 +247,8 @@ func NewManager(name string, opt Options) (*Manager, error) { | |||
| return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig) | |||
| } | |||
| // sessionId generates a new session ID with rand string, unix nano time, remote addr by hash function. | |||
| func (m *Manager) sessionId() string { | |||
| // sessionID generates a new session ID with rand string, unix nano time, remote addr by hash function. | |||
| func (m *Manager) sessionID() string { | |||
| return hex.EncodeToString(generateRandomKey(m.opt.IDLength / 2)) | |||
| } | |||
| @@ -255,10 +257,10 @@ func (m *Manager) sessionId() string { | |||
| func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) { | |||
| sid := ctx.GetCookie(m.opt.CookieName) | |||
| if len(sid) > 0 && m.provider.Exist(sid) { | |||
| return m.provider.Read(sid) | |||
| return m.Read(sid) | |||
| } | |||
| sid = m.sessionId() | |||
| sid = m.sessionID() | |||
| sess, err := m.provider.Read(sid) | |||
| if err != nil { | |||
| return nil, err | |||
| @@ -282,6 +284,12 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) { | |||
| // Read returns raw session store by session ID. | |||
| func (m *Manager) Read(sid string) (RawStore, error) { | |||
| // No slashes or dots "./" should ever occur in the sid and to prevent session file forgery bug. | |||
| // See https://github.com/gogs/gogs/issues/5469 | |||
| if strings.ContainsAny(sid, "./") { | |||
| return nil, errors.New("invalid 'sid': " + sid) | |||
| } | |||
| return m.provider.Read(sid) | |||
| } | |||
| @@ -308,7 +316,7 @@ func (m *Manager) Destory(ctx *macaron.Context) error { | |||
| // RegenerateId regenerates a session store from old session ID to new one. | |||
| func (m *Manager) RegenerateId(ctx *macaron.Context) (sess RawStore, err error) { | |||
| sid := m.sessionId() | |||
| sid := m.sessionID() | |||
| oldsid := ctx.GetCookie(m.opt.CookieName) | |||
| sess, err = m.provider.Regenerate(oldsid, sid) | |||
| if err != nil { | |||