Skip to content

Prevent security failure due to bad APP_ID (#18678) #18682

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
6543 merged 2 commits into from
Feb 10, 2022
Merged

Prevent security failure due to bad APP_ID (#18678) #18682

6543 merged 2 commits into from
Feb 10, 2022

Conversation

@zeripath
Copy link
Contributor

@zeripath zeripath commented Feb 9, 2022

Backport #18678

WebAuthn may cause a security exception if the provided APP_ID is not allowed for the
current origin. Therefore we should reattempt authentication without the appid
extension.

Also we should allow [u2f] as-well as [U2F] sections.

Signed-off-by: Andrew Thornton [email protected]

@zeripath @lunny
Prevent security failure due to bad APP_ID (go-gitea#18678)
63004e4 
Backport go-gitea#18678

WebAuthn may cause a security exception if the provided APP_ID is not allowed for the
current origin. Therefore we should reattempt authentication without the appid
extension.

Also we should allow [u2f] as-well as [U2F] sections.

Signed-off-by: Andrew Thornton <[email protected]>

Co-authored-by: Lunny Xiao <[email protected]>
@zeripath zeripath added this to the 1.16.2 milestone Feb 9, 2022
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Feb 9, 2022
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Feb 10, 2022
@6543
Copy link
Member

6543 commented Feb 10, 2022

🚀

@6543 6543 merged commit 2e317d3 into go-gitea:release/v1.16 Feb 10, 2022
@zeripath zeripath deleted the backport-18678-v1.16 branch February 10, 2022 17:19
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@silverwind silverwind silverwind approved these changes

+1 more reviewer

@Gusted Gusted Gusted approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug

Projects

None yet

Milestone

1.16.2

Development

Successfully merging this pull request may close these issues.

6 participants

@zeripath @6543 @silverwind @Gusted @GiteaBot @lunny