-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix api uses in the web ui #5249
Comments
@kolaente a malicious user wouldn't need the cookie to be able to post to the API. They could create a Option 2 would be better than 1 because the CSRF is shortlived and autogenerated, and an API token is long living, so I believe 2 is cleaner. |
OK The list above appears to map to the following urls:
|
Looking at the code, and following some rudimentary testing I'm not convinced that the GET urls are affected. |
@zeripath The issue search does not work when on a private repo, user search shouldn't work either, neither should topic search. |
I would prefer to stick to current behaviour to not use API for UI |
@lafriks I'm not sure I understand. |
I meant that we should create routes that would be called for getting data for UI and not call API routes |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions. |
This issue has been automatically closed because of inactivity. You can re-open it if needed. |
#4840 introduced some significant changes to the way the authentication for the api works. It broke some things where the web ui called the api, namely:
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L1459
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L1486
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L2087
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L2507
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L2594
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L2630
We have two possibilities to solve this:
IMHO the first solution would be cleaner because if an attacker has a cookie he/she could easily use that to get a new api request token via the web ui, rendering the whole double-check useless. So we could save the hassle to implement the double check with cookie/crf token and use the mechanism which is already there.
The text was updated successfully, but these errors were encountered: