vendor: update github.com/go-macaron/session (#5469)

Fix security flaw reported by c957861129d62331c5704d2f04d11e41.
2018-10-24 09:43:59 -04:00 · 2018-10-24 09:43:59 -04:00 · b93079f1c1
parent a1098384c0
commit b93079f1c1
5 changed files with 20 additions and 10 deletions
--- a/gogs.go
+++ b/gogs.go
@ -16,7 +16,7 @@ import (
 	"github.com/gogs/gogs/pkg/setting"
 )

-const APP_VER = "0.11.68.1023"
+const APP_VER = "0.11.69.1024"

 func init() {
 	setting.AppVer = APP_VER
--- a/templates/.VERSION
+++ b/templates/.VERSION
@ -1 +1 @@
-0.11.68.1023
+0.11.69.1024
--- a/vendor/github.com/go-macaron/session/README.md
+++ b/vendor/github.com/go-macaron/session/README.md
@ -4,6 +4,8 @@ Middleware session provides session management for [Macaron](https://github.com/

 ### Installation

+The minimum requirement of Go is 1.6 (*1.7 if using Redis, 1.8 if using MySQL*).
+
 	go get github.com/go-macaron/session
 	
 ## Getting Help
--- a/vendor/github.com/go-macaron/session/session.go
+++ b/vendor/github.com/go-macaron/session/session.go
@ -18,15 +18,17 @@ package session

 import (
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"
 	"time"

 	"gopkg.in/macaron.v1"
 )

-const _VERSION = "0.3.0"
+const _VERSION = "0.4.0"

 func Version() string {
 	return _VERSION
@ -245,8 +247,8 @@ func NewManager(name string, opt Options) (*Manager, error) {
 	return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig)
 }

-// sessionId generates a new session ID with rand string, unix nano time, remote addr by hash function.
-func (m *Manager) sessionId() string {
+// sessionID generates a new session ID with rand string, unix nano time, remote addr by hash function.
+func (m *Manager) sessionID() string {
 	return hex.EncodeToString(generateRandomKey(m.opt.IDLength / 2))
 }

@ -258,7 +260,7 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {
 		return m.provider.Read(sid)
 	}

-	sid = m.sessionId()
+	sid = m.sessionID()
 	sess, err := m.provider.Read(sid)
 	if err != nil {
 		return nil, err
@ -282,6 +284,12 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {

 // Read returns raw session store by session ID.
 func (m *Manager) Read(sid string) (RawStore, error) {
+	// No slashes or dots "./" should ever occur in the sid and to prevent session file forgery bug.
+	// See https://github.com/gogs/gogs/issues/5469
+	if strings.ContainsAny(sid, "./") {
+		return nil, errors.New("invalid 'sid': " + sid)
+	}
+
 	return m.provider.Read(sid)
 }

@ -308,7 +316,7 @@ func (m *Manager) Destory(ctx *macaron.Context) error {

 // RegenerateId regenerates a session store from old session ID to new one.
 func (m *Manager) RegenerateId(ctx *macaron.Context) (sess RawStore, err error) {
-	sid := m.sessionId()
+	sid := m.sessionID()
 	oldsid := ctx.GetCookie(m.opt.CookieName)
 	sess, err = m.provider.Regenerate(oldsid, sid)
 	if err != nil {
--- a/vendor/vendor.json
+++ b/vendor/vendor.json
@ -135,10 +135,10 @@
 			"revisionTime": "2016-06-27T17:00:12Z"
 		},
 		{
-			"checksumSHA1": "gO0dj0NqsmBTkf4D0JzJDtOEx+U=",
+			"checksumSHA1": "DsbAcljMg4dSIIf6N/RJEJY6nTk=",
 			"path": "github.com/go-macaron/session",
-			"revision": "b8e286a0dba8f4999042d6b258daf51b31d08938",
-			"revisionTime": "2017-03-20T17:22:09Z"
+			"revision": "487775536c781f5fd19b36c9421b79ba2b8a119d",
+			"revisionTime": "2018-10-24T13:41:25Z"
 		},
 		{
 			"checksumSHA1": "jVW5CmzplA0UDjai0AFYJFVXAJk=",