Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF token on login #2385

Closed
2 of 7 tasks
daviian opened this issue Aug 24, 2017 · 6 comments
Closed
2 of 7 tasks

CSRF token on login #2385

daviian opened this issue Aug 24, 2017 · 6 comments
Labels
type/proposal The new feature has not been accepted yet but needs to be discussed first.

Comments

@daviian
Copy link
Member

daviian commented Aug 24, 2017

  • Gitea version (or commit ref): f61a1d2
  • Git version: 2.13.3
  • Operating system: Mac OS X
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant

Description

After discussion in #2363 (review) I checked if login is validating CSRF token. And it does not.
As opinions differ I want to start a discussion about the necessity of a token validation for login request.

A research lead me to https://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks/15350123#15350123, the guy describes a scenario in which not validating the csrf token on login page is used for an attack on data privacy.

What's your opinion on this guys? IMO I would add token validation for login.
@daviian daviian changed the title CSRF Token on Login CSRF token on login Aug 24, 2017
@lunny lunny added the type/proposal The new feature has not been accepted yet but needs to be discussed first. label Aug 25, 2017
@daviian
Copy link
Member Author

daviian commented Sep 30, 2017

Anyone against a CSRF token on login?
If not I would create a PR for this,

@lunny
Copy link
Member

lunny commented Oct 7, 2017

@daviian maybe because drone depends on that?

@daviian
Copy link
Member Author

daviian commented Oct 7, 2017

@lunny Any reason why the drone should depend on that?

@lunny
Copy link
Member

lunny commented Oct 7, 2017

@daviian since Gitea didn't implement OAuth2 provider. But drone need login with gitea user & password.

@daviian
Copy link
Member Author

daviian commented Oct 7, 2017

@lunny When does the drone need direct login to gitea, except when running integration tests? And integration tests already send csrf token on login, although the token is not validated.

@6543
Copy link
Member

6543 commented Sep 7, 2020

Gitea has implemented OAuth2 provider

@6543 6543 closed this as completed Sep 7, 2020
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/proposal The new feature has not been accepted yet but needs to be discussed first.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lunny @daviian @6543