Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not display the raw OpenID error in the UI #5705 (Backport v1.7) #5712

Merged
merged 1 commit into from
Jan 13, 2019
Merged

Do not display the raw OpenID error in the UI #5705 (Backport v1.7) #5712

merged 1 commit into from
Jan 13, 2019

Conversation

zeripath
Copy link
Contributor

If there are no WHITELIST_URIS or BLACKLIST_URIS set in the openid
section of the app.ini, it is possible that gitea can leak sensitive
information about the local network through the error provided by the
UI. This PR hides the error information and logs it.

Fix #4973

Signed-off-by: Andrew Thornton [email protected]

@zeripath
Do not display the raw OpenID error in the UI (go-gitea#5705)
318527a 
* Do not display the raw OpenID error in the UI

If there are no `WHITELIST_URIS` or `BLACKLIST_URIS` set in the openid
section of the app.ini, it is possible that gitea can leak sensitive
information about the local network through the error provided by the
UI. This PR hides the error information and logs it.

Fix go-gitea#4973

Signed-off-by: Andrew Thornton <[email protected]>

* Update auth_openid.go

Place error log within the `err != nil` branch.
@bkcsoft bkcsoft added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Jan 13, 2019
@bkcsoft bkcsoft added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jan 13, 2019
@techknowlogick techknowlogick merged commit e9c4609 into go-gitea:release/v1.7 Jan 13, 2019
@zeripath zeripath deleted the issue-4793-ssrf-in-openid branch January 13, 2019 13:18
@zeripath
Copy link
Contributor Author

Thanks @lunny & @techknowlogick

@lafriks lafriks added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Jan 13, 2019
@lafriks lafriks added this to the 1.7.0 milestone Jan 13, 2019
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lunny lunny lunny approved these changes

@techknowlogick techknowlogick techknowlogick approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Milestone
1.7.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@zeripath @lunny @techknowlogick @lafriks @bkcsoft