routers/user: ensure that decryption of cookie actually suceeds (#7363)

Previously, only the first return value of ctx.GetSuperSecureCookie
was used to check whether decryption of the auth cookie succeeded.
ctx.GetSuperSecureCookie also returns a second value, a boolean,
indicating success or not. That value should be checked first to
be on the safe side and not rely on internal logic of the encryption
and decryption blackbox.
This commit is contained in:
leonklingele 2019-07-06 17:47:09 +02:00 committed by Lunny Xiao
parent 86750325c7
commit 96b66e330b

View File

@ -71,8 +71,8 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
return false, nil
}
if val, _ := ctx.GetSuperSecureCookie(
base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); val != u.Name {
if val, ok := ctx.GetSuperSecureCookie(
base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name {
return false, nil
}