routers/user: ensure that decryption of cookie actually suceeds (#7363)
Previously, only the first return value of ctx.GetSuperSecureCookie was used to check whether decryption of the auth cookie succeeded. ctx.GetSuperSecureCookie also returns a second value, a boolean, indicating success or not. That value should be checked first to be on the safe side and not rely on internal logic of the encryption and decryption blackbox.
This commit is contained in:
parent
86750325c7
commit
96b66e330b
|
@ -71,8 +71,8 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
|
|||
return false, nil
|
||||
}
|
||||
|
||||
if val, _ := ctx.GetSuperSecureCookie(
|
||||
base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); val != u.Name {
|
||||
if val, ok := ctx.GetSuperSecureCookie(
|
||||
base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue