[prev in list] [next in list] [prev in thread] [next in thread]
List: cgit
Subject: [PATCH] Encode value and field before calculating cookie digest, the same way secure_value() does
From: thevlad () gmail ! com
Date: 2018-04-12 17:54:31
Message-ID: 20180412175431.33587-1-thevlad () gmail ! com
[Download RAW message or body]
From: Vlad Safronov <thevlad@gmail.com>
Bugfix: Encode value and field before calculating cookie digest, the same way as \
secure_value() does so validating will work correctly on encoded values.
---
filters/simple-authentication.lua | 2 ++
1 file changed, 2 insertions(+)
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua
index de34d09..b40a819 100644
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -230,6 +230,8 @@ function validate_value(expected_field, cookie)
return nil
end
+ value = url_encode(value)
+ field = url_encode(field)
-- Lua hashes strings, so these comparisons are time invariant.
if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. \
tostring(expiration) .. "|" .. salt, secret) then return nil
--
2.17.0
_______________________________________________
CGit mailing list
CGit@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/cgit
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic