Backup_Repos/filestash
1
0
Fork 0
mirror of https://github.com/mickael-kerjean/filestash synced 2025-12-07 17:02:29 +01:00
Code Issues Projects Releases Wiki Activity

fix (iframe): iframe cookie block rollout

Browse source
This commit is contained in:
MickaelK 2024-09-06 00:52:26 +10:00
parent a0540eecae
commit 919ee10a81
2 changed files with 30 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
Jenkinsfile vendored
View file

@ -27,7 +27,7 @@ pipeline {
sh "npm install" sh "npm install"
sh "make build_frontend" sh "make build_frontend"
} }
docker.image("golang:1.21-bookworm").inside("--user=root") { docker.image("golang:1.23-bookworm").inside("--user=root") {
// prepare: todo - statically compile plg_image_c so we don't have to do this to pass the e2e tests // prepare: todo - statically compile plg_image_c so we don't have to do this to pass the e2e tests
sh "sed -i 's|plg_image_c|plg_image_golang|' server/plugin/index.go" sh "sed -i 's|plg_image_c|plg_image_golang|' server/plugin/index.go"
// build // build
@ -42,7 +42,7 @@ pipeline {
steps { steps {
script { script {
// smoke test // smoke test
docker.image("golang:1.21-bookworm").inside("--user=root") { docker.image("golang:1.23-bookworm").inside("--user=root") {
sh 'timeout 5 ./dist/filestash > access.log || code=$?; if [ $code -ne 124 ]; then exit $code; fi' sh 'timeout 5 ./dist/filestash > access.log || code=$?; if [ $code -ne 124 ]; then exit $code; fi'
sh "cat access.log" sh "cat access.log"
sh "cat access.log | grep -q \"\\[http\\] starting\"" sh "cat access.log | grep -q \"\\[http\\] starting\""
@ -63,7 +63,7 @@ pipeline {
// sh "cd public && npm run test" // sh "cd public && npm run test"
} }
// test backend // test backend
docker.image("golang:1.21-bookworm").inside("--user=root") { docker.image("golang:1.23-bookworm").inside("--user=root") {
sh "cp ./test/assets/* /tmp/" sh "cp ./test/assets/* /tmp/"
sh "go generate ./test/unit_go/..." sh "go generate ./test/unit_go/..."
sh "go get ./..." sh "go get ./..."

49
server/ctrl/session.go
View file

@ -120,6 +120,7 @@ func SessionAuthenticate(ctx *App, res http.ResponseWriter, req *http.Request) {
if Config.Get("features.protection.iframe").String() != "" { if Config.Get("features.protection.iframe").String() != "" {
c.Secure = true c.Secure = true
c.SameSite = http.SameSiteNoneMode c.SameSite = http.SameSiteNoneMode
c.Partitioned = true
if f := req.Header.Get("Referer"); f != "" && strings.HasPrefix(f, "https://") == false { if f := req.Header.Get("Referer"); f != "" && strings.HasPrefix(f, "https://") == false {
Log.Warning("you are trying to access Filestash from a non secure origin ('%s') and with iframe enabled. Either use SSL or disable iframe from the admin console.", f) Log.Warning("you are trying to access Filestash from a non secure origin ('%s') and with iframe enabled. Either use SSL or disable iframe from the admin console.", f)
} }
@ -162,10 +163,11 @@ func SessionLogout(ctx *App, res http.ResponseWriter, req *http.Request) {
break break
} }
http.SetCookie(res, &http.Cookie{ http.SetCookie(res, &http.Cookie{
Name: CookieName(index), Name: CookieName(index),
Value: "", Value: "",
MaxAge: -1, MaxAge: -1,
Path: COOKIE_PATH, Path: COOKIE_PATH,
Partitioned: true,
}) })
index++ index++
} }
@ -288,12 +290,13 @@ func SessionAuthMiddleware(ctx *App, res http.ResponseWriter, req *http.Request)
if req.Method == "GET" && _get.Get("action") == "redirect" { if req.Method == "GET" && _get.Get("action") == "redirect" {
if label := _get.Get("label"); label != "" { if label := _get.Get("label"); label != "" {
http.SetCookie(res, &http.Cookie{ http.SetCookie(res, &http.Cookie{
Name: SSOCookieName, Name: SSOCookieName,
Value: label + "::" + _get.Get("state"), Value: label + "::" + _get.Get("state"),
MaxAge: 60 * 10, MaxAge: 60 * 10,
Path: COOKIE_PATH, Path: COOKIE_PATH,
HttpOnly: true, HttpOnly: true,
SameSite: http.SameSiteLaxMode, SameSite: http.SameSiteLaxMode,
Partitioned: true,
}) })
} }
if err := plugin.EntryPoint(idpParams, req, res); err != nil { if err := plugin.EntryPoint(idpParams, req, res); err != nil {
@ -437,20 +440,22 @@ func SessionAuthMiddleware(ctx *App, res http.ResponseWriter, req *http.Request)
return return
} }
http.SetCookie(res, &http.Cookie{ http.SetCookie(res, &http.Cookie{
Name: COOKIE_NAME_AUTH, Name: COOKIE_NAME_AUTH,
Value: obfuscate, Value: obfuscate,
MaxAge: 60 * Config.Get("general.cookie_timeout").Int(), MaxAge: 60 * Config.Get("general.cookie_timeout").Int(),
Path: COOKIE_PATH, Path: COOKIE_PATH,
HttpOnly: true, HttpOnly: true,
SameSite: http.SameSiteStrictMode, SameSite: http.SameSiteStrictMode,
Partitioned: true,
}) })
http.SetCookie(res, &http.Cookie{ http.SetCookie(res, &http.Cookie{
Name: SSOCookieName, Name: SSOCookieName,
Value: "", Value: "",
MaxAge: -1, MaxAge: -1,
Path: COOKIE_PATH, Path: COOKIE_PATH,
HttpOnly: true, HttpOnly: true,
SameSite: http.SameSiteLaxMode, SameSite: http.SameSiteLaxMode,
Partitioned: true,
}) })
redirectURI := templateBind["next"] redirectURI := templateBind["next"]
if redirectURI == "" { if redirectURI == "" {