Update go-macaron/session to latest mast to fix RCE-bug (#5177)

2018-10-25 13:53:39 +02:00 · 2018-10-25 13:53:39 +02:00 · aeb5655c25
commit aeb5655c25
parent 5f938c0c78
3 changed files with 23 additions and 14 deletions
--- a/vendor/github.com/go-macaron/session/session.go
+++ b/vendor/github.com/go-macaron/session/session.go
@ -18,15 +18,17 @@ package session

 import (
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"
 	"time"

 	"gopkg.in/macaron.v1"
 )

-const _VERSION = "0.3.0"
+const _VERSION = "0.4.0"

 func Version() string {
 	return _VERSION
@ -245,8 +247,8 @@ func NewManager(name string, opt Options) (*Manager, error) {
 	return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig)
 }

-// sessionId generates a new session ID with rand string, unix nano time, remote addr by hash function.
-func (m *Manager) sessionId() string {
+// sessionID generates a new session ID with rand string, unix nano time, remote addr by hash function.
+func (m *Manager) sessionID() string {
 	return hex.EncodeToString(generateRandomKey(m.opt.IDLength / 2))
 }

@ -255,10 +257,10 @@ func (m *Manager) sessionId() string {
 func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {
 	sid := ctx.GetCookie(m.opt.CookieName)
 	if len(sid) > 0 && m.provider.Exist(sid) {
-		return m.provider.Read(sid)
+		return m.Read(sid)
 	}

-	sid = m.sessionId()
+	sid = m.sessionID()
 	sess, err := m.provider.Read(sid)
 	if err != nil {
 		return nil, err
@ -282,6 +284,12 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {

 // Read returns raw session store by session ID.
 func (m *Manager) Read(sid string) (RawStore, error) {
+	// No slashes or dots "./" should ever occur in the sid and to prevent session file forgery bug.
+	// See https://github.com/gogs/gogs/issues/5469
+	if strings.ContainsAny(sid, "./") {
+		return nil, errors.New("invalid 'sid': " + sid)
+	}
+
 	return m.provider.Read(sid)
 }

@ -308,7 +316,7 @@ func (m *Manager) Destory(ctx *macaron.Context) error {

 // RegenerateId regenerates a session store from old session ID to new one.
 func (m *Manager) RegenerateId(ctx *macaron.Context) (sess RawStore, err error) {
-	sid := m.sessionId()
+	sid := m.sessionID()
 	oldsid := ctx.GetCookie(m.opt.CookieName)
 	sess, err = m.provider.Regenerate(oldsid, sid)
 	if err != nil {