On Thu, Apr 12, 2018 at 08:54:31PM +0300, [email protected] wrote: > From: Vlad Safronov <[email protected]> > > Bugfix: Encode value and field before calculating cookie digest, the same way > as secure_value() does > so validating will work correctly on encoded values.
Missing sign-off (see [1] for what this means). [1] https://elinux.org/Developer_Certificate_Of_Origin However, I don't think this change is correct. secure_value() places the encoded strings into the authstr, which is what validate_value() is reading, so field and value are already URL encoded here. This is why field is url_decode()'d later in this function before comparing with the expected value. > --- > filters/simple-authentication.lua | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/filters/simple-authentication.lua > b/filters/simple-authentication.lua > index de34d09..b40a819 100644 > --- a/filters/simple-authentication.lua > +++ b/filters/simple-authentication.lua > @@ -230,6 +230,8 @@ function validate_value(expected_field, cookie) > return nil > end > > + value = url_encode(value) > + field = url_encode(field) > -- Lua hashes strings, so these comparisons are time invariant. > if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. > tostring(expiration) .. "|" .. salt, secret) then > return nil > -- > 2.17.0 _______________________________________________ CGit mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/cgit
