Backup_Repos/filestash
1
0
Fork 0
mirror of https://github.com/mickael-kerjean/filestash synced 2025-12-06 08:22:24 +01:00
Code Issues Projects Releases Wiki Activity

fix (iframe): iframe cookie block rollout

Browse source
This commit is contained in:
MickaelK 2024-09-06 00:52:26 +10:00
parent a0540eecae
commit 919ee10a81
2 changed files with 30 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
Jenkinsfile vendored
View file

@ -27,7 +27,7 @@ pipeline {
sh "npm install"
sh "make build_frontend"
}
docker.image("golang:1.21-bookworm").inside("--user=root") {
docker.image("golang:1.23-bookworm").inside("--user=root") {
// prepare: todo - statically compile plg_image_c so we don't have to do this to pass the e2e tests
sh "sed -i 's|plg_image_c|plg_image_golang|' server/plugin/index.go"
// build
@ -42,7 +42,7 @@ pipeline {
steps {
script {
// smoke test
docker.image("golang:1.21-bookworm").inside("--user=root") {
docker.image("golang:1.23-bookworm").inside("--user=root") {
sh 'timeout 5 ./dist/filestash > access.log || code=$?; if [ $code -ne 124 ]; then exit $code; fi'
sh "cat access.log"
sh "cat access.log | grep -q \"\\[http\\] starting\""
@ -63,7 +63,7 @@ pipeline {
// sh "cd public && npm run test"
}
// test backend
docker.image("golang:1.21-bookworm").inside("--user=root") {
docker.image("golang:1.23-bookworm").inside("--user=root") {
sh "cp ./test/assets/* /tmp/"
sh "go generate ./test/unit_go/..."
sh "go get ./..."

49
server/ctrl/session.go
View file

@ -120,6 +120,7 @@ func SessionAuthenticate(ctx *App, res http.ResponseWriter, req *http.Request) {
if Config.Get("features.protection.iframe").String() != "" {
c.Secure = true
c.SameSite = http.SameSiteNoneMode
c.Partitioned = true
if f := req.Header.Get("Referer"); f != "" && strings.HasPrefix(f, "https://") == false {
Log.Warning("you are trying to access Filestash from a non secure origin ('%s') and with iframe enabled. Either use SSL or disable iframe from the admin console.", f)
}
@ -162,10 +163,11 @@ func SessionLogout(ctx *App, res http.ResponseWriter, req *http.Request) {
break
}
http.SetCookie(res, &http.Cookie{
Name: CookieName(index),
Value: "",
MaxAge: -1,
Path: COOKIE_PATH,
Name: CookieName(index),
Value: "",
MaxAge: -1,
Path: COOKIE_PATH,
Partitioned: true,
})
index++
}
@ -288,12 +290,13 @@ func SessionAuthMiddleware(ctx *App, res http.ResponseWriter, req *http.Request)
if req.Method == "GET" && _get.Get("action") == "redirect" {
if label := _get.Get("label"); label != "" {
http.SetCookie(res, &http.Cookie{
Name: SSOCookieName,
Value: label + "::" + _get.Get("state"),
MaxAge: 60 * 10,
Path: COOKIE_PATH,
HttpOnly: true,
SameSite: http.SameSiteLaxMode,
Name: SSOCookieName,
Value: label + "::" + _get.Get("state"),
MaxAge: 60 * 10,
Path: COOKIE_PATH,
HttpOnly: true,
SameSite: http.SameSiteLaxMode,
Partitioned: true,
})
}
if err := plugin.EntryPoint(idpParams, req, res); err != nil {
@ -437,20 +440,22 @@ func SessionAuthMiddleware(ctx *App, res http.ResponseWriter, req *http.Request)
return
}
http.SetCookie(res, &http.Cookie{
Name: COOKIE_NAME_AUTH,
Value: obfuscate,
MaxAge: 60 * Config.Get("general.cookie_timeout").Int(),
Path: COOKIE_PATH,
HttpOnly: true,
SameSite: http.SameSiteStrictMode,
Name: COOKIE_NAME_AUTH,
Value: obfuscate,
MaxAge: 60 * Config.Get("general.cookie_timeout").Int(),
Path: COOKIE_PATH,
HttpOnly: true,
SameSite: http.SameSiteStrictMode,
Partitioned: true,
})
http.SetCookie(res, &http.Cookie{
Name: SSOCookieName,
Value: "",
MaxAge: -1,
Path: COOKIE_PATH,
HttpOnly: true,
SameSite: http.SameSiteLaxMode,
Name: SSOCookieName,
Value: "",
MaxAge: -1,
Path: COOKIE_PATH,
HttpOnly: true,
SameSite: http.SameSiteLaxMode,
Partitioned: true,
})
redirectURI := templateBind["next"]
if redirectURI == "" {