From: Vlad Safronov <[email protected]>
Bugfix: Encode value and field before calculating cookie digest, the same way
as secure_value() does
so validating will work correctly on encoded values.
---
filters/simple-authentication.lua | 2 ++
1 file changed, 2 insertions(+)
diff --git a/filters/simple-authentication.lua
b/filters/simple-authentication.lua
index de34d09..b40a819 100644
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -230,6 +230,8 @@ function validate_value(expected_field, cookie)
return nil
end
+ value = url_encode(value)
+ field = url_encode(field)
-- Lua hashes strings, so these comparisons are time invariant.
if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" ..
tostring(expiration) .. "|" .. salt, secret) then
return nil
--
2.17.0
_______________________________________________
CGit mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/cgit
