From aeb5655c25053bdcd7eee94ea37df88468374162 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kim=20=22BKC=22=20Carlb=C3=A4cker?= Date: Thu, 25 Oct 2018 13:53:39 +0200 Subject: [PATCH] Update go-macaron/session to latest mast to fix RCE-bug (#5177) --- Gopkg.lock | 5 +++-- vendor/github.com/go-macaron/session/file.go | 12 +++++------ .../github.com/go-macaron/session/session.go | 20 +++++++++++++------ 3 files changed, 23 insertions(+), 14 deletions(-) diff --git a/Gopkg.lock b/Gopkg.lock index 82df421545..d084ae1188 100644 --- a/Gopkg.lock +++ b/Gopkg.lock @@ -342,14 +342,15 @@ revision = "d8a0b8677191f4380287cfebd08e462217bac7ad" [[projects]] - digest = "1:b327ca585509a889130a8f51f43704a8fe03cb5cd281dbf1bc6405f5a7ea4702" + branch = "master" + digest = "1:8fea5718d84af17762195beb6fe92a0d6c1048452a1dbc464d227f12e0cff0cc" name = "github.com/go-macaron/session" packages = [ ".", "redis", ] pruneopts = "NUT" - revision = "66031fcb37a0fff002a1f028eb0b3a815c78306b" + revision = "330e4e4d8beb7b00111ac34539561f46f94c4458" [[projects]] digest = "1:758d2371fcdee6d02565901b348729053c636055e67ef6e17aa466c7ff6cc57c" diff --git a/vendor/github.com/go-macaron/session/file.go b/vendor/github.com/go-macaron/session/file.go index 438269ea84..9bbc7aed20 100644 --- a/vendor/github.com/go-macaron/session/file.go +++ b/vendor/github.com/go-macaron/session/file.go @@ -86,7 +86,7 @@ func (s *FileStore) Release() error { return err } - return ioutil.WriteFile(s.p.filepath(s.sid), data, os.ModePerm) + return ioutil.WriteFile(s.p.filepath(s.sid), data, 0600) } // Flush deletes all session data. @@ -121,7 +121,7 @@ func (p *FileProvider) filepath(sid string) string { // Read returns raw session store by session ID. func (p *FileProvider) Read(sid string) (_ RawStore, err error) { filename := p.filepath(sid) - if err = os.MkdirAll(path.Dir(filename), os.ModePerm); err != nil { + if err = os.MkdirAll(path.Dir(filename), 0700); err != nil { return nil, err } p.lock.RLock() @@ -129,7 +129,7 @@ func (p *FileProvider) Read(sid string) (_ RawStore, err error) { var f *os.File if com.IsFile(filename) { - f, err = os.OpenFile(filename, os.O_RDWR, os.ModePerm) + f, err = os.OpenFile(filename, os.O_RDONLY, 0600) } else { f, err = os.Create(filename) } @@ -187,15 +187,15 @@ func (p *FileProvider) regenerate(oldsid, sid string) (err error) { if err != nil { return err } - if err = os.MkdirAll(path.Dir(oldname), os.ModePerm); err != nil { + if err = os.MkdirAll(path.Dir(oldname), 0700); err != nil { return err } - if err = ioutil.WriteFile(oldname, data, os.ModePerm); err != nil { + if err = ioutil.WriteFile(oldname, data, 0600); err != nil { return err } } - if err = os.MkdirAll(path.Dir(filename), os.ModePerm); err != nil { + if err = os.MkdirAll(path.Dir(filename), 0700); err != nil { return err } if err = os.Rename(oldname, filename); err != nil { diff --git a/vendor/github.com/go-macaron/session/session.go b/vendor/github.com/go-macaron/session/session.go index 7e7b833c55..d9bbae2032 100644 --- a/vendor/github.com/go-macaron/session/session.go +++ b/vendor/github.com/go-macaron/session/session.go @@ -18,15 +18,17 @@ package session import ( "encoding/hex" + "errors" "fmt" "net/http" "net/url" + "strings" "time" "gopkg.in/macaron.v1" ) -const _VERSION = "0.3.0" +const _VERSION = "0.4.0" func Version() string { return _VERSION @@ -245,8 +247,8 @@ func NewManager(name string, opt Options) (*Manager, error) { return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig) } -// sessionId generates a new session ID with rand string, unix nano time, remote addr by hash function. -func (m *Manager) sessionId() string { +// sessionID generates a new session ID with rand string, unix nano time, remote addr by hash function. +func (m *Manager) sessionID() string { return hex.EncodeToString(generateRandomKey(m.opt.IDLength / 2)) } @@ -255,10 +257,10 @@ func (m *Manager) sessionId() string { func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) { sid := ctx.GetCookie(m.opt.CookieName) if len(sid) > 0 && m.provider.Exist(sid) { - return m.provider.Read(sid) + return m.Read(sid) } - sid = m.sessionId() + sid = m.sessionID() sess, err := m.provider.Read(sid) if err != nil { return nil, err @@ -282,6 +284,12 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) { // Read returns raw session store by session ID. func (m *Manager) Read(sid string) (RawStore, error) { + // No slashes or dots "./" should ever occur in the sid and to prevent session file forgery bug. + // See https://github.com/gogs/gogs/issues/5469 + if strings.ContainsAny(sid, "./") { + return nil, errors.New("invalid 'sid': " + sid) + } + return m.provider.Read(sid) } @@ -308,7 +316,7 @@ func (m *Manager) Destory(ctx *macaron.Context) error { // RegenerateId regenerates a session store from old session ID to new one. func (m *Manager) RegenerateId(ctx *macaron.Context) (sess RawStore, err error) { - sid := m.sessionId() + sid := m.sessionID() oldsid := ctx.GetCookie(m.opt.CookieName) sess, err = m.provider.Regenerate(oldsid, sid) if err != nil {