Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't Unescape redirect_to cookie value #6399

Merged
merged 4 commits into from
Mar 21, 2019
Merged

Don't Unescape redirect_to cookie value #6399

merged 4 commits into from
Mar 21, 2019

Conversation

mrsdizzie
Copy link
Member

@mrsdizzie mrsdizzie commented Mar 20, 2019
edited
Loading

redirect_to holds a value that we want to redirect back to after login. This value can be a path with intentionally escaped values and we should not unescape it.

I'd guess the original logic here is that all cookies are escaped and so you usually unescape them before using the values. However, getCookie already does unescaping so we are doing it twice.
To see this bad behavior: log out of try.gitea.io then visit this URL

https://try.gitea.io/mrsdizzie/parsing-errors/src/branch/master/%23testme

And click sign in from there. The path remains escaped until the final redirect after successful sign in at which point it redirects to the incorrect https://try.gitea.io/mrsdizzie/parsing-errors/src/branch/master/#testme which isn't rendered properly and just shows the main repo page

That is because getCookie returns the unescaped mrsdizzie/parsing-errors/src/branch/master/%23testme and then the 2nd call to url.QueryUnescape turns that into mrsdizzie/parsing-errors/src/branch/master#testme

For reference, I bet things are this way because they predate the following change:
go-macaron/macaron@b7c39df#diff-05a3aa0ab9e5687ff167e0ef3ae4c5a6R300

Fixes #4475

@mrsdizzie
Don't Unescape redirect_to cookie value
22b6356 
redirect_to holds a value that we want to redirect back to after login.
This value can be a path with intentonally escaped values and we
should not unescape it.

Fixes go-gitea#4475
@codecov-io
Copy link

codecov-io commented Mar 20, 2019
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (master@6d345e0). Click here to learn what that means.
The diff coverage is 20%.

Impacted file tree graph

@@            Coverage Diff            @@
##             master    #6399   +/-   ##
=========================================
  Coverage          ?   38.85%           
=========================================
  Files             ?      365           
  Lines             ?    51389           
  Branches          ?        0           
=========================================
  Hits              ?    19965           
  Misses            ?    28553           
  Partials          ?     2871
Impacted Files Coverage Δ
routers/user/auth_openid.go 0% <0%> (ø)
routers/user/auth.go 13.07% <25%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6d345e0...80c63cb. Read the comment docs.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 20, 2019
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Mar 20, 2019
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Mar 20, 2019
@techknowlogick techknowlogick added this to the 1.9.0 milestone Mar 21, 2019
@techknowlogick techknowlogick merged commit 6f2e1bd into go-gitea:master Mar 21, 2019
@techknowlogick
Copy link
Member

@mrsdizzie thanks for PR 😃 please backport to release/v1.8 branch.

mrsdizzie added a commit to mrsdizzie/gitea that referenced this pull request Mar 21, 2019
@mrsdizzie
Don't Unescape redirect_to cookie value (go-gitea#6399)
5fd9052 
redirect_to holds a value that we want to redirect back to after login.
This value can be a path with intentonally escaped values and we
should not unescape it.

Fixes go-gitea#4475
@techknowlogick techknowlogick added the backport/done All backports for this PR have been created label Mar 21, 2019
lafriks pushed a commit that referenced this pull request Mar 21, 2019
@mrsdizzie @lafriks
Don't Unescape redirect_to cookie value (#6399) (#6401)
3ce1951 
redirect_to holds a value that we want to redirect back to after login.
This value can be a path with intentonally escaped values and we
should not unescape it.

Fixes #4475
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sapk sapk sapk approved these changes

@zeripath zeripath zeripath approved these changes

@axifive axifive axifive approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug
Projects
None yet
Milestone
1.9.0
Development

Successfully merging this pull request may close these issues.

URL encoding lost upon round trip through login
7 participants
@mrsdizzie @codecov-io @techknowlogick @axifive @zeripath @sapk @GiteaBot