routers/user: ensure that decryption of cookie actually suceeds (#7363)

leonklingele · lunny · commit 96b66e330b9a · 2019-07-06T23:47:09.000+08:00
Previously, only the first return value of ctx.GetSuperSecureCookie
was used to check whether decryption of the auth cookie succeeded.
ctx.GetSuperSecureCookie also returns a second value, a boolean,
indicating success or not. That value should be checked first to
be on the safe side and not rely on internal logic of the encryption
and decryption blackbox.
diff --git a/routers/user/auth.go b/routers/user/auth.go
@@ -71,8 +71,8 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
 		return false, nil
 	}
 
-	if val, _ := ctx.GetSuperSecureCookie(
-		base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); val != u.Name {
+	if val, ok := ctx.GetSuperSecureCookie(
+		base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name {
 		return false, nil
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -71,8 +71,8 @@ func AutoSignIn(ctx *context.Context) (bool, error) {`
`71`	`71`	`return false, nil`
`72`	`72`	`}`
`73`	`73`
`74`		`- if val, _ := ctx.GetSuperSecureCookie(`
`75`		`- base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); val != u.Name {`
	`74`	`+ if val, ok := ctx.GetSuperSecureCookie(`
	`75`	`+ base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok \|\| val != u.Name {`
`76`	`76`	`return false, nil`
`77`	`77`	`}`
`78`	`78`