Redirect to favicon.ico after login #13771
Description
- Gitea version (or commit ref): 1.12.4
- Git version: 2.26.2
- Operating system: Gentoo/Linux
- Using the Gentoo init script for OpenRC
- Gitea built using the (gentoo ebuild)
- Database (use
[x]):- PostgreSQL
- MySQL
- MSSQL
- SQLite
- Can you reproduce the bug at https://try.gitea.io:
- Yes (provide example URL)
- No
- Log gist:
N/A
Description
When REQUIRE_SIGNIN_VIEW is enabled, any request to any URL (even if non existent) seems to redirect to /user/login and places a cookie containing the original URL to redirect after login.
This seems fine at first glance.
However, there is a race condition here: for example, if the browser requests a favicon.ico before the user is logged in, a cookie will be set with redirect_to=%2Ffavicon.ico.
Then, if the user navigates to the login page and submits the login form, they will be redirected to /favicon.ico.
Screenshots
NA
Steps to reproduce
To reproduce this, you need to make the browser request a favicon.ico. This only seems to happen when the page you request does not explicitly include an icon.
The easiest way I found is trying to open the swagger UI while logged out, and then login.
- Make sure to set
REQUIRE_SIGNIN_VIEW=truein app.ini - Use an incognito window, preferably in a new profile (e.g.
chromium --incognito --user-data-dir=$(mktemp -d) - Make sure you are logged out; open developer tools (F12), go to "Network" tab and check "disable cache" and "preserve log"
- Navigate to https://your-gitea/api/swagger
- This should return HTTP 403. Since the content is JSON, chrome will hopefully also request a
favicon.ico. (if you don't see chrome requesting a favicon, please try again or this won't work) - The favicon request will return HTTP 302 with
location: /user/loginand will include aset-cookie: redirect_to=%2Ffavicon.ico; Path=/. Since this is the not the page you navigated to (it's only a resource), the redirect is ignored. However, the cookie is set. - Manually navigate to the gitea home page (type the URL in the address bar) and click on the login button in the menu
- You will now be at the login page (the URL is
https://your-gitea/user/login?redirect_to=). The cookie remains unchanged. - Type a valid username and password, and click Sign in
- This will make a POST to
/user/login, including the cookiecookie: lang=en-US; i_like_gitea=d96a44102eca1a57; _csrf=Kbj8-XwU1_qYqn5_7cyXyYafpgs6MTYwNjc4NjMyMTgwNzY5NDg2Ng; redirect_to=%2Ffavicon.ico. Therefore, the reply will be HTTP 302 withlocation: /favicon.ico - Your browser will comply and redirect you to
https://your-gitea/favicon.icoinstead of a sane page like the homepage. - Additionally, since there is no favicon.ico, a 404 plain-text error is returned with the following headers:
content-type: text/plain; charset=utf-8
content-length: 19
content-disposition: attachment; filename=favicon.png
This leaves the user with an ERR_INVALID_RESPONSE message after login.
(Also note that it returns filename=favicon.png even though I requested a favicon.ico which supposedly doesn't exist. Maybe this is another issue in itself.)
Endpoint replies
REQUIRE_SIGNIN_VIEW=true
# curl -sI 127.0.0.1:3000/favicon.ico | grep -E "HTTP|redirect|Location"
HTTP/1.1 302 Found
Location: /user/login
Set-Cookie: redirect_to=%2Ffavicon.ico; Path=/
# curl -sI 127.0.0.1:3000/asdfasfadsfasdfdsfaf | grep -E "HTTP|redirect|Location"
HTTP/1.1 302 Found
Location: /user/login
Set-Cookie: redirect_to=%2Fasdfasfadsfasdfdsfaf; Path=/
REQUIRE_SIGNIN_VIEW=false
# curl -sI 127.0.0.1:3000/favicon.ico | grep -E "HTTP|redirect|Location"
HTTP/1.1 404 Not Found
# curl -sI 127.0.0.1:3000/asdfasfadsfasdfdsfaf | grep -E "HTTP|redirect|Location"
HTTP/1.1 404 Not Found