[Security] Stored XSS. Account Takeover possilble. #4703

ghost · 2018-08-14T14:32:01Z

Gitea version (or commit ref): any version with external issue tracker
Git version: not relevant
Operating system: not relevant
Database (use [x]):
- PostgreSQL
- MySQL
- MSSQL
- SQLite
Can you reproduce the bug at https://try.gitea.io:
- Yes (provide example URL)
- No
- Not relevant
Log gist:

Description

The text was updated successfully, but these errors were encountered:

techknowlogick · 2018-08-14T14:38:29Z

Thoughts from top of my head, we could use net/url and validate that external issue tracker is a valid URL and the protocol of URL is http/https.

May have time in several hours to look into where to add this into code.

Thanks for report 😄

lafriks · 2018-08-15T22:57:38Z

@cezar97 thanks for report ;)

lafriks · 2018-08-19T21:20:57Z

I don't think that's worth the work as chances of that are quite minimal and I would not like to automatically remove or mess up someone's setttings

techknowlogick added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Aug 14, 2018

SagePtr mentioned this issue Aug 14, 2018

Make cookies HttpOnly and obey COOKIE_SECURE flag #4706

Merged

lafriks mentioned this issue Aug 14, 2018

Improve URL validation for external wiki and external issues #4710

Merged

lafriks added this to the 1.5.1 milestone Aug 14, 2018

lafriks closed this as completed in #4710 Aug 15, 2018

beeonthego mentioned this issue Aug 26, 2018

Proposal: limit api routes to access by token/basic auth only #4794

Closed

go-gitea locked and limited conversation to collaborators Nov 24, 2020