Kim "BKC" Carlbäcker
Lunny Xiao
6 years ago
3 changed files with 23 additions and 14 deletions
Unified View
Diff Options
-
+3 -2Gopkg.lock
-
+6 -6vendor/github.com/go-macaron/session/file.go
-
+14 -6vendor/github.com/go-macaron/session/session.go
+ 3
- 2
Gopkg.lock
View File
| @@ -342,14 +342,15 @@ | |||||
| revision = "d8a0b8677191f4380287cfebd08e462217bac7ad" | revision = "d8a0b8677191f4380287cfebd08e462217bac7ad" | ||||
| [[projects]] | [[projects]] | ||||
| digest = "1:b327ca585509a889130a8f51f43704a8fe03cb5cd281dbf1bc6405f5a7ea4702" | |||||
| branch = "master" | |||||
| digest = "1:8fea5718d84af17762195beb6fe92a0d6c1048452a1dbc464d227f12e0cff0cc" | |||||
| name = "github.com/go-macaron/session" | name = "github.com/go-macaron/session" | ||||
| packages = [ | packages = [ | ||||
| ".", | ".", | ||||
| "redis", | "redis", | ||||
| ] | ] | ||||
| pruneopts = "NUT" | pruneopts = "NUT" | ||||
| revision = "66031fcb37a0fff002a1f028eb0b3a815c78306b" | |||||
| revision = "330e4e4d8beb7b00111ac34539561f46f94c4458" | |||||
| [[projects]] | [[projects]] | ||||
| digest = "1:758d2371fcdee6d02565901b348729053c636055e67ef6e17aa466c7ff6cc57c" | digest = "1:758d2371fcdee6d02565901b348729053c636055e67ef6e17aa466c7ff6cc57c" | ||||
+ 6
- 6
vendor/github.com/go-macaron/session/file.go
View File
| @@ -86,7 +86,7 @@ func (s *FileStore) Release() error { | |||||
| return err | return err | ||||
| } | } | ||||
| return ioutil.WriteFile(s.p.filepath(s.sid), data, os.ModePerm) | |||||
| return ioutil.WriteFile(s.p.filepath(s.sid), data, 0600) | |||||
| } | } | ||||
| // Flush deletes all session data. | // Flush deletes all session data. | ||||
| @@ -121,7 +121,7 @@ func (p *FileProvider) filepath(sid string) string { | |||||
| // Read returns raw session store by session ID. | // Read returns raw session store by session ID. | ||||
| func (p *FileProvider) Read(sid string) (_ RawStore, err error) { | func (p *FileProvider) Read(sid string) (_ RawStore, err error) { | ||||
| filename := p.filepath(sid) | filename := p.filepath(sid) | ||||
| if err = os.MkdirAll(path.Dir(filename), os.ModePerm); err != nil { | |||||
| if err = os.MkdirAll(path.Dir(filename), 0700); err != nil { | |||||
| return nil, err | return nil, err | ||||
| } | } | ||||
| p.lock.RLock() | p.lock.RLock() | ||||
| @@ -129,7 +129,7 @@ func (p *FileProvider) Read(sid string) (_ RawStore, err error) { | |||||
| var f *os.File | var f *os.File | ||||
| if com.IsFile(filename) { | if com.IsFile(filename) { | ||||
| f, err = os.OpenFile(filename, os.O_RDWR, os.ModePerm) | |||||
| f, err = os.OpenFile(filename, os.O_RDONLY, 0600) | |||||
| } else { | } else { | ||||
| f, err = os.Create(filename) | f, err = os.Create(filename) | ||||
| } | } | ||||
| @@ -187,15 +187,15 @@ func (p *FileProvider) regenerate(oldsid, sid string) (err error) { | |||||
| if err != nil { | if err != nil { | ||||
| return err | return err | ||||
| } | } | ||||
| if err = os.MkdirAll(path.Dir(oldname), os.ModePerm); err != nil { | |||||
| if err = os.MkdirAll(path.Dir(oldname), 0700); err != nil { | |||||
| return err | return err | ||||
| } | } | ||||
| if err = ioutil.WriteFile(oldname, data, os.ModePerm); err != nil { | |||||
| if err = ioutil.WriteFile(oldname, data, 0600); err != nil { | |||||
| return err | return err | ||||
| } | } | ||||
| } | } | ||||
| if err = os.MkdirAll(path.Dir(filename), os.ModePerm); err != nil { | |||||
| if err = os.MkdirAll(path.Dir(filename), 0700); err != nil { | |||||
| return err | return err | ||||
| } | } | ||||
| if err = os.Rename(oldname, filename); err != nil { | if err = os.Rename(oldname, filename); err != nil { | ||||
+ 14
- 6
vendor/github.com/go-macaron/session/session.go
View File
| @@ -18,15 +18,17 @@ package session | |||||
| import ( | import ( | ||||
| "encoding/hex" | "encoding/hex" | ||||
| "errors" | |||||
| "fmt" | "fmt" | ||||
| "net/http" | "net/http" | ||||
| "net/url" | "net/url" | ||||
| "strings" | |||||
| "time" | "time" | ||||
| "gopkg.in/macaron.v1" | "gopkg.in/macaron.v1" | ||||
| ) | ) | ||||
| const _VERSION = "0.3.0" | |||||
| const _VERSION = "0.4.0" | |||||
| func Version() string { | func Version() string { | ||||
| return _VERSION | return _VERSION | ||||
| @@ -245,8 +247,8 @@ func NewManager(name string, opt Options) (*Manager, error) { | |||||
| return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig) | return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig) | ||||
| } | } | ||||
| // sessionId generates a new session ID with rand string, unix nano time, remote addr by hash function. | |||||
| func (m *Manager) sessionId() string { | |||||
| // sessionID generates a new session ID with rand string, unix nano time, remote addr by hash function. | |||||
| func (m *Manager) sessionID() string { | |||||
| return hex.EncodeToString(generateRandomKey(m.opt.IDLength / 2)) | return hex.EncodeToString(generateRandomKey(m.opt.IDLength / 2)) | ||||
| } | } | ||||
| @@ -255,10 +257,10 @@ func (m *Manager) sessionId() string { | |||||
| func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) { | func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) { | ||||
| sid := ctx.GetCookie(m.opt.CookieName) | sid := ctx.GetCookie(m.opt.CookieName) | ||||
| if len(sid) > 0 && m.provider.Exist(sid) { | if len(sid) > 0 && m.provider.Exist(sid) { | ||||
| return m.provider.Read(sid) | |||||
| return m.Read(sid) | |||||
| } | } | ||||
| sid = m.sessionId() | |||||
| sid = m.sessionID() | |||||
| sess, err := m.provider.Read(sid) | sess, err := m.provider.Read(sid) | ||||
| if err != nil { | if err != nil { | ||||
| return nil, err | return nil, err | ||||
| @@ -282,6 +284,12 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) { | |||||
| // Read returns raw session store by session ID. | // Read returns raw session store by session ID. | ||||
| func (m *Manager) Read(sid string) (RawStore, error) { | func (m *Manager) Read(sid string) (RawStore, error) { | ||||
| // No slashes or dots "./" should ever occur in the sid and to prevent session file forgery bug. | |||||
| // See https://github.com/gogs/gogs/issues/5469 | |||||
| if strings.ContainsAny(sid, "./") { | |||||
| return nil, errors.New("invalid 'sid': " + sid) | |||||
| } | |||||
| return m.provider.Read(sid) | return m.provider.Read(sid) | ||||
| } | } | ||||
| @@ -308,7 +316,7 @@ func (m *Manager) Destory(ctx *macaron.Context) error { | |||||
| // RegenerateId regenerates a session store from old session ID to new one. | // RegenerateId regenerates a session store from old session ID to new one. | ||||
| func (m *Manager) RegenerateId(ctx *macaron.Context) (sess RawStore, err error) { | func (m *Manager) RegenerateId(ctx *macaron.Context) (sess RawStore, err error) { | ||||
| sid := m.sessionId() | |||||
| sid := m.sessionID() | |||||
| oldsid := ctx.GetCookie(m.opt.CookieName) | oldsid := ctx.GetCookie(m.opt.CookieName) | ||||
| sess, err = m.provider.Regenerate(oldsid, sid) | sess, err = m.provider.Regenerate(oldsid, sid) | ||||
| if err != nil { | if err != nil { | ||||