mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

fix the auto token leak on auth error page issue permanantly

Browse source
This commit is contained in:
Joey Hess 2012-07-29 12:12:14 -04:00
parent c2f3e66d8c
commit ea05ba893c
1 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Utility/WebApp.hs
View file

@ -137,7 +137,11 @@ genRandomToken = do
Right (s, _) -> showDigest $ sha512 $ L.fromChunks [s] Right (s, _) -> showDigest $ sha512 $ L.fromChunks [s]
{- A Yesod isAuthorized method, which checks the auth cgi parameter {- A Yesod isAuthorized method, which checks the auth cgi parameter
- against a token extracted from the Yesod application. -} - against a token extracted from the Yesod application.
-
- Note that the usual Yesod error page is bypassed on error, to avoid
- possibly leaking the auth token in urls on that page!
-}
checkAuthToken :: forall t sub. (t -> T.Text) -> GHandler sub t AuthResult checkAuthToken :: forall t sub. (t -> T.Text) -> GHandler sub t AuthResult
checkAuthToken extractToken = do checkAuthToken extractToken = do
webapp <- getYesod webapp <- getYesod
@ -145,7 +149,7 @@ checkAuthToken extractToken = do
let params = reqGetParams req let params = reqGetParams req
if lookup "auth" params == Just (extractToken webapp) if lookup "auth" params == Just (extractToken webapp)
then return Authorized then return Authorized
else return AuthenticationRequired else sendResponseStatus unauthorized401 ()
{- A Yesod joinPath method, which adds an auth cgi parameter to every {- A Yesod joinPath method, which adds an auth cgi parameter to every
- url matching a predicate, containing a token extracted from the - url matching a predicate, containing a token extracted from the