From 96b66e330b9a592093799a50219c8118de6951eb Mon Sep 17 00:00:00 2001 From: leonklingele <5585491+leonklingele@users.noreply.github.com> Date: Sat, 6 Jul 2019 17:47:09 +0200 Subject: [PATCH] routers/user: ensure that decryption of cookie actually suceeds (#7363) Previously, only the first return value of ctx.GetSuperSecureCookie was used to check whether decryption of the auth cookie succeeded. ctx.GetSuperSecureCookie also returns a second value, a boolean, indicating success or not. That value should be checked first to be on the safe side and not rely on internal logic of the encryption and decryption blackbox. --- routers/user/auth.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/routers/user/auth.go b/routers/user/auth.go index 0731e3467..576f63057 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -71,8 +71,8 @@ func AutoSignIn(ctx *context.Context) (bool, error) { return false, nil } - if val, _ := ctx.GetSuperSecureCookie( - base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); val != u.Name { + if val, ok := ctx.GetSuperSecureCookie( + base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name { return false, nil }