Fix open redirect vulnerability on login screen #4312

jonasfranz · 2018-06-25T11:24:40Z

Fix #4307 by checking if URL is external before redirecting.

Affected:

2FA
U2F
Normal login

Signed-off-by: Jonas Franz <info@jonasfranz.software>

codecov-io · 2018-06-25T11:34:04Z

Codecov Report

Merging #4312 into master will increase coverage by 0.01%.
The diff coverage is 60%.

@@            Coverage Diff            @@
##           master   #4312      +/-   ##
=========================================
+ Coverage   20.09%   20.1%   +0.01%     
=========================================
  Files         153     153              
  Lines       30696   30705       +9     
=========================================
+ Hits         6168    6174       +6     
- Misses      23586   23588       +2     
- Partials      942     943       +1

Impacted Files	Coverage Δ
routers/user/auth.go	`0% <0%> (ø)`	⬆️
modules/util/util.go	`36% <66.66%> (+6.73%)`	⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b8c2420...3913603. Read the comment docs.

lafriks · 2018-06-25T12:23:58Z

modules/util/util_test.go

+		newTest(true,
+			"http://example.com"),
+		newTest(false,
+			"a/"),


Why is this false?

Because it is not external

lafriks · 2018-06-25T12:24:20Z

modules/util/util_test.go

+			"a/"),
+		newTest(false,
+			"https://try.gitea.io/test?param=false"),
+		newTest(false,


Because it is not external

lafriks · 2018-06-25T12:24:31Z

modules/util/util_test.go

+			"test?param=false"),
+		newTest(false,
+			"//try.gitea.io/test?param=false"),
+		newTest(false,


Because it is not external

lunny · 2018-06-26T01:51:01Z

LGTM

strk

Looks good, thanks!

techknowlogick · 2018-06-26T21:00:50Z

@JonasFranzDEV could you backport this to 1.4 as well?

bkcsoft · 2018-06-26T21:16:33Z

I'm working on a backport to 1.4

sapk · 2018-06-28T13:37:26Z

modules/util/util.go

+	if err != nil {
+		return true
+	}
+	if len(parsed.Host) != 0 && strings.Replace(parsed.Host, "www.", "", 1) != strings.Replace(setting.Domain, "www.", "", 1) {


jonasfranz added 3 commits June 25, 2018 13:22

Fix open redirect vulnerability on login screen

b49ee5d

Signed-off-by: Jonas Franz <info@jonasfranz.software>

Reorder imports

3d722b7

Signed-off-by: Jonas Franz <info@jonasfranz.software>

Replace www. from Domain too

fff3256

Signed-off-by: Jonas Franz <info@jonasfranz.software>

bkcsoft added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jun 25, 2018

lafriks reviewed Jun 25, 2018

View reviewed changes

techknowlogick added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Jun 25, 2018

techknowlogick added this to the 1.5.0 milestone Jun 25, 2018

Merge branch 'master' into fix-open-redirect

3913603

techknowlogick approved these changes Jun 25, 2018

View reviewed changes

bkcsoft added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jun 25, 2018

bkcsoft added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jun 26, 2018

strk approved these changes Jun 26, 2018

View reviewed changes

lunny merged commit 801843b into go-gitea:master Jun 26, 2018

techknowlogick added the backport/v1.4 label Jun 26, 2018

bkcsoft pushed a commit that referenced this pull request Jun 26, 2018

Backport #4312 to v1.4

ce8696e

bkcsoft mentioned this pull request Jun 26, 2018

Backport #4312 to v1.4 #4320

Merged

bkcsoft added a commit that referenced this pull request Jun 26, 2018

Backport #4312 to v1.4 (#4320)

459a265

jonasfranz deleted the fix-open-redirect branch June 27, 2018 21:03

sapk mentioned this pull request Jun 28, 2018

Open redirect vulnerability on 2FA #4307

Closed

7 tasks

sapk reviewed Jun 28, 2018

View reviewed changes

ghost mentioned this pull request Jun 28, 2018

Open Redirect vulnerability on internal links #4332

Closed

7 tasks

go-gitea locked and limited conversation to collaborators Nov 24, 2020

Uh oh!

Uh oh!

Fix open redirect vulnerability on login screen #4312

Fix open redirect vulnerability on login screen #4312

Uh oh!

Conversation

jonasfranz commented Jun 25, 2018

Uh oh!

codecov-io commented Jun 25, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

lafriks Jun 25, 2018

Choose a reason for hiding this comment

Uh oh!

jonasfranz Jun 25, 2018

Choose a reason for hiding this comment

Uh oh!

lafriks Jun 25, 2018

Choose a reason for hiding this comment

Uh oh!

jonasfranz Jun 25, 2018

Choose a reason for hiding this comment

Uh oh!

lafriks Jun 25, 2018

Choose a reason for hiding this comment

Uh oh!

jonasfranz Jun 25, 2018

Choose a reason for hiding this comment

Uh oh!

lunny commented Jun 26, 2018

Uh oh!

strk left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

techknowlogick commented Jun 26, 2018

Uh oh!

bkcsoft commented Jun 26, 2018

Uh oh!

sapk Jun 28, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

codecov-io commented Jun 25, 2018 •

edited

Loading

strk left a comment •

edited

Loading

sapk Jun 28, 2018 •

edited

Loading