Lang cookie missing secure/httpOnly attributes #9690
Comments
lunny
added
the
topic/security
|
I think it all boils down to the i18n module for macaron-go : https://github.com/go-macaron/i18n/blob/5a5348d12f10480196f7376cf48de94fa93eb236/i18n.go#L202 |
|
My bad, I just saw that i18n in Gitea is a fork. Anyway, the changes I tried to introduce in go-macaron/i18n#11 works on the i18n version of Gitea. This was tested on a Docker build with latest sources.
|
|
@rodolpheh thanks for your work! Looks like the changes also have been pulled into the i18n Gitea fork in the meantime. Is there any option which allows to enable this or is currently the only way to enable/test this to manually change the settings which are off by default in i18n.go before compiling Gitea? |
|
Sorry I have a terrible memory and barely remembered doing that 😄 . Unfortunately it seems that I haven't pushed any changes that would allow setting those in Gitea. I had to dig a little before finding what I had changed in Gitea to make it work. Please find attached a patch file until a proper push is made on Gitea. I pulled the latest sources to make sure this works so hopefully it should work for you. After applying this patch, the Secure and HttpOnly flags should be added if you had COOKIE_SECURE and CSRF_COOKIE_HTTP_ONLY set to true in your app settings. |
|
@rodolpheh Thanks for the hint, I couldn't apply your patch, probably because I build from source so I had no Based on your patch I went with this: gitea-1.13.1-lang-cookie.txt. Not sure if it's ready for a PR like it is, but it appears to do the trick:
|
* master: (252 commits) Issues overview should not show issues from archived repos (go-gitea#13220) Display SVG files as images instead of text (go-gitea#14101) [skip ci] Updated translations via Crowdin Update docs to clarify issues raised in go-gitea#14272 (go-gitea#14318) [skip ci] Updated translations via Crowdin [Refactor] Passwort Hash/Set (go-gitea#14282) Add option to change username to the admin panel (go-gitea#14229) fix mailIssueCommentBatch for pull request (go-gitea#14252) Remove self from MAINTAINERS (go-gitea#14286) Do not reload page after adding comments in Pull Request reviews (go-gitea#13877) Fix session bug when introduce chi (go-gitea#14287) [skip ci] Updated translations via Crowdin Add secure/httpOnly attributes to the lang cookie (go-gitea#9690) (go-gitea#14279) Some code improvements (go-gitea#14266) [skip ci] Updated translations via Crowdin Fix wrong type on hooktask to convert typ from char(16) to varchar(16) (go-gitea#14148) Upgrade XORM links in documentation. (go-gitea#14265) Check permission for the appropriate unit type (go-gitea#14261) Add compliance check for windows to ensure cross platform build (go-gitea#14260) [skip ci] Updated translations via Crowdin ...
Description
I've configured my Gitea instance with
CSRF_COOKIE_HTTP_ONLYandCOOKIE_SECURE:which works fine, except for the lang cookie that doesn't seem to respect that setting:
resulting in a security scanner complaining about the cookie missing the
secureandhttpOnlyattributes.The text was updated successfully, but these errors were encountered: